This was just pointed out to me:
http://www.djangoproject.com/weblog/2010/sep/08/security-release/
"""
The provided template tag for inserting the CSRF token into forms -- {% csrf_token %}-- explicitly trusts the cookie value, and displays it as-is. Thus, an attacker whois able to tamper with the value of the CSRF cookie can cause arbitrary content to beinserted, unescaped, into the outgoing HTML of the form, enabling cross-sitescripting (XSS) attacks. """
Thanks.