From f605eaedd3ba02988b67b699029b402c96b61ee7 Mon Sep 17 00:00:00 2001 From: Jiangge Zhang Date: Tue, 23 Sep 2014 17:55:48 +0800 Subject: [PATCH] Add support to customize hidden tag. Or some apps enabled CSP will be blocked because of the inline style. Issue #149 --- docs/config.rst | 34 +++++++++++++++++++--------------- flask_wtf/form.py | 16 +++++++++++++--- 2 files changed, 32 insertions(+), 18 deletions(-) diff --git a/docs/config.rst b/docs/config.rst index f3b35ff3..48f7fbbc 100644 --- a/docs/config.rst +++ b/docs/config.rst @@ -9,21 +9,25 @@ Forms and CSRF The full list of configuration for Flask-WTF. Usually, you don't need to configure any of them. It just works. -=================== =============================================== -WTF_CSRF_ENABLED Disable/enable CSRF protection for forms. - Default is True. -WTF_I18N_ENABLED Disable/enable I18N support. This should work - together with Flask-Babel. Default is True. -WTF_CSRF_SECRET_KEY A random string for generating CSRF token. - Default is the same as SECRET_KEY. -WTF_CSRF_TIME_LIMIT CSRF token expiring time. Default is **3600** - seconds. -WTF_CSRF_SSL_STRICT Strictly protection on SSL. This will check - the referrer, validate if it is from the same - origin. Default is True. -WTF_CSRF_METHODS CSRF protection on these request methods. - Default is **['POST', 'PUT', 'PATCH']** -=================== =============================================== +==================== =============================================== +WTF_CSRF_ENABLED Disable/enable CSRF protection for forms. + Default is True. +WTF_I18N_ENABLED Disable/enable I18N support. This should work + together with Flask-Babel. Default is True. +WTF_CSRF_SECRET_KEY A random string for generating CSRF token. + Default is the same as SECRET_KEY. +WTF_CSRF_TIME_LIMIT CSRF token expiring time. Default is **3600** + seconds. +WTF_CSRF_SSL_STRICT Strictly protection on SSL. This will check + the referrer, validate if it is from the same + origin. Default is True. +WTF_CSRF_METHODS CSRF protection on these request methods. + Default is **['POST', 'PUT', 'PATCH']** +WTF_HIDDEN_TAG HTML tag name of the hidden tag wrapper. + Default is **div** +WTF_HIDDEN_TAG_ATTRS HTML tag attributes of the hidden tag wrapper. + Default is **{'style': 'display:none;'}** +==================== =============================================== Recaptcha diff --git a/flask_wtf/form.py b/flask_wtf/form.py index 5a4b5c86..bac8fd2f 100644 --- a/flask_wtf/form.py +++ b/flask_wtf/form.py @@ -2,7 +2,7 @@ import werkzeug.datastructures -from jinja2 import Markup +from jinja2 import Markup, escape from flask import request, session, current_app from wtforms.fields import HiddenField from wtforms.widgets import HiddenInput @@ -57,6 +57,7 @@ class Form(SecureForm): csrf behavior is suppressed. Default: WTF_CSRF_ENABLED config value """ + SECRET_KEY = None TIME_LIMIT = None @@ -139,12 +140,21 @@ def hidden_tag(self, *fields): if not fields: fields = [f for f in self if _is_hidden(f)] - rv = [u'
'] + name = current_app.config.get('WTF_HIDDEN_TAG', 'div') + attrs = current_app.config.get( + 'WTF_HIDDEN_TAG_ATTRS', {'style': 'display:none;'}) + + tag_attrs = u' '.join( + u'%s="%s"' % (escape(k), escape(v)) for k, v in attrs.items()) + tag_start = u'<%s %s>' % (escape(name), tag_attrs) + tag_end = u'' % escape(name) + + rv = [tag_start] for field in fields: if isinstance(field, string_types): field = getattr(self, field) rv.append(text_type(field)) - rv.append(u"
") + rv.append(tag_end) return Markup(u"".join(rv))