diff -r b758351d191f -r cc9b7e14412b web/lib/django/contrib/formtools/wizard.py
--- a/web/lib/django/contrib/formtools/wizard.py	Wed May 19 17:43:59 2010 +0200
+++ b/web/lib/django/contrib/formtools/wizard.py	Tue May 25 02:43:45 2010 +0200
@@ -14,21 +14,30 @@
 from django.utils.hashcompat import md5_constructor
 from django.utils.translation import ugettext_lazy as _
 from django.contrib.formtools.utils import security_hash
+from django.utils.decorators import method_decorator
+from django.views.decorators.csrf import csrf_protect
+
 
 class FormWizard(object):
-    # Dictionary of extra template context variables.
-    extra_context = {}
-
     # The HTML (and POST data) field name for the "step" variable.
     step_field_name="wizard_step"
 
     # METHODS SUBCLASSES SHOULDN'T OVERRIDE ###################################
 
     def __init__(self, form_list, initial=None):
-        "form_list should be a list of Form classes (not instances)."
+        """
+        Start a new wizard with a list of forms.
+        
+        form_list should be a list of Form classes (not instances).
+        """
         self.form_list = form_list[:]
         self.initial = initial or {}
-        self.step = 0 # A zero-based counter keeping track of which step we're in.
+
+        # Dictionary of extra template context variables.
+        self.extra_context = {}
+
+        # A zero-based counter keeping track of which step we're in.
+        self.step = 0 
 
     def __repr__(self):
         return "step: %d\nform_list: %s\ninitial_data: %s" % (self.step, self.form_list, self.initial)
@@ -44,6 +53,7 @@
         # hook methods might alter self.form_list.
         return len(self.form_list)
 
+    @method_decorator(csrf_protect)
     def __call__(self, request, *args, **kwargs):
         """
         Main method that does all the hard work, conforming to the Django view