Skip to content

Add support to customize hidden tag. #150

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
lepture merged 1 commit into from
Sep 23, 2014
Merged

Add support to customize hidden tag. #150

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 19 additions & 15 deletions docs/config.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,21 +9,25 @@ Forms and CSRF
The full list of configuration for Flask-WTF. Usually, you don't need
to configure any of them. It just works.

=================== ===============================================
WTF_CSRF_ENABLED Disable/enable CSRF protection for forms.
Default is True.
WTF_I18N_ENABLED Disable/enable I18N support. This should work
together with Flask-Babel. Default is True.
WTF_CSRF_SECRET_KEY A random string for generating CSRF token.
Default is the same as SECRET_KEY.
WTF_CSRF_TIME_LIMIT CSRF token expiring time. Default is **3600**
seconds.
WTF_CSRF_SSL_STRICT Strictly protection on SSL. This will check
the referrer, validate if it is from the same
origin. Default is True.
WTF_CSRF_METHODS CSRF protection on these request methods.
Default is **['POST', 'PUT', 'PATCH']**
=================== ===============================================
==================== ===============================================
WTF_CSRF_ENABLED Disable/enable CSRF protection for forms.
Default is True.
WTF_I18N_ENABLED Disable/enable I18N support. This should work
together with Flask-Babel. Default is True.
WTF_CSRF_SECRET_KEY A random string for generating CSRF token.
Default is the same as SECRET_KEY.
WTF_CSRF_TIME_LIMIT CSRF token expiring time. Default is **3600**
seconds.
WTF_CSRF_SSL_STRICT Strictly protection on SSL. This will check
the referrer, validate if it is from the same
origin. Default is True.
WTF_CSRF_METHODS CSRF protection on these request methods.
Default is **['POST', 'PUT', 'PATCH']**
WTF_HIDDEN_TAG HTML tag name of the hidden tag wrapper.
Default is **div**
WTF_HIDDEN_TAG_ATTRS HTML tag attributes of the hidden tag wrapper.
Default is **{'style': 'display:none;'}**
==================== ===============================================


Recaptcha
Expand Down
16 changes: 13 additions & 3 deletions flask_wtf/form.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@

import werkzeug.datastructures

from jinja2 import Markup
from jinja2 import Markup, escape
from flask import request, session, current_app
from wtforms.fields import HiddenField
from wtforms.widgets import HiddenInput
Expand Down Expand Up @@ -57,6 +57,7 @@ class Form(SecureForm):
csrf behavior is suppressed.
Default: WTF_CSRF_ENABLED config value
"""

SECRET_KEY = None
TIME_LIMIT = None

Expand Down Expand Up @@ -139,12 +140,21 @@ def hidden_tag(self, *fields):
if not fields:
fields = [f for f in self if _is_hidden(f)]

rv = [u'<div style="display:none;">']
name = current_app.config.get('WTF_HIDDEN_TAG', 'div')
attrs = current_app.config.get(
'WTF_HIDDEN_TAG_ATTRS', {'style': 'display:none;'})

tag_attrs = u' '.join(
u'%s="%s"' % (escape(k), escape(v)) for k, v in attrs.items())
tag_start = u'<%s %s>' % (escape(name), tag_attrs)
tag_end = u'</%s>' % escape(name)

rv = [tag_start]
for field in fields:
if isinstance(field, string_types):
field = getattr(self, field)
rv.append(text_type(field))
rv.append(u"</div>")
rv.append(tag_end)

return Markup(u"".join(rv))

Expand Down