Update example in XSRF section.

Login forms don't actually need XSRF protection, so use a message-posting
form instead.

diff --git a/website/templates/documentation.txt b/website/templates/documentation.txt
index 4ea3887d64096dd898c815a562722e0a274273f8..9f2ed37a69d8800c45e921badf99e4f8895633b8 100644 (file)
--- a/website/templates/documentation.txt
+++ b/website/templates/documentation.txt
@@ -438,11 +438,10 @@ correct `_xsrf` value. If you turn this setting on, you need to instrument
 all forms that submit via `POST` to contain this field. You can do this with
 the special function `xsrf_form_html()`, available in all templates:
 
-    <form action="/login" method="post">
+    <form action="/new_message" method="post">
       {{ xsrf_form_html() }}
-      <div>Username: <input type="text" name="username"/></div>
-      <div>Password: <input type="password" name="password"/></div>
-      <div><input type="submit" value="Sign in"/></div>
+      <input type="text" name="message"/>
+      <input type="submit" value="Post"/>
     </form>
 
 If you submit AJAX `POST` requests, you will also need to instrument your