tessl/pypi-flask-wtf
Form rendering, validation, and CSRF protection for Flask with WTForms.
- Workspace
- tessl
- Visibility
- Public
- Created
- Last updated
- Describes
'%3e%3cpath%20d='M3.389%209.069c0-.009.043-.033.029-.044L.029%207.77l3.287-1.197L6.574%207.77l.106.083.005%204-3.297%201.185V9.068ZM13.582%209.32V2.74l3.405%201.238v4.104L13.583%209.32ZM10.253%2014.66l-3.476%201.268v-4.027l3.476-1.313v4.072ZM10.253%2010.558l-3.476%201.239V7.784l3.476-1.268v4.042ZM10.253%2014.719v3.968L6.777%2020v-3.998l3.476-1.283ZM17%208.139v4.042l-3.418%201.239V9.378L17%208.138ZM3.3%2017.168%200%2015.943v-4.027l3.3%201.224v4.028ZM6.69%2011.916v4.027l-3.302%201.225v-4.072l3.301-1.18ZM6.69%203.743v4.012l-3.33-1.21V2.564l3.33%201.18Z'/%3e%3cpath%20d='M3.3%2013.066%200%2011.842V7.844l3.3%201.224v3.998ZM13.524%209.334l-.175.088.175-.014v4.027l-3.152%201.183-.06-.032v-3.983l1.986-.767-.111.006-1.876.657V6.531l3.213-1.224v4.027Zm-.263.133c-.065.008-.198.023-.233.088.065-.008.198-.023.233-.088Zm-.321.118c-.065.008-.198.023-.233.088.065-.009.198-.023.233-.088Zm-.321.118c-.066.008-.199.023-.234.088.065-.008.199-.023.234-.088ZM13.524%201.266v3.968l-3.213%201.195V2.46l3.213-1.194ZM10.253%202.475v3.968L6.777%207.726V3.743l3.476-1.268ZM8.2%204.458c-.304.064-.627.5-.708.79-.27.963.636%201.081%201.091.364.277-.437.354-1.308-.383-1.154ZM13.524%2013.51v3.983l-3.17%201.177c-.011%200-.043-.067-.043-.07v-3.895l3.213-1.195Zm-.884%201.63c-.495.085-1.068%201.015-.676%201.435.483.517%201.502-.636%201.147-1.246-.098-.169-.286-.221-.47-.19ZM10.165%202.387l-.037.065-3.395%201.249-3.345-1.212L6.88%201.21l3.285%201.178ZM13.437%201.177l-.088.073-3.057%201.127-3.034-1.082-.277-.133L10.151%200l3.286%201.177Z'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='a'%3e%3cpath%20fill='%23fff'%20d='M0%200h17v20H0z'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e){kind=small}
To install, run
npx @tessl/cli install tessl/pypi-flask-wtf@1.2.0index.mddocs/
Flask-WTF
Flask-WTF is a Flask extension that provides simple integration between Flask and WTForms. It offers essential web form functionality including CSRF (Cross-Site Request Forgery) protection, secure file upload handling with validation, reCAPTCHA integration for bot protection, and seamless form rendering with automatic CSRF token generation. The library extends WTForms with Flask-specific features like request data binding, session-based CSRF tokens, and integration with Flask's application context.
Package Information
- Package Name: Flask-WTF
- Language: Python
- Installation:
pip install Flask-WTF - Package Type: Flask extension/library
Core Imports
from flask_wtf import FlaskForm, CSRFProtectSpecific functionality imports:
from flask_wtf import FlaskForm, CSRFProtect, RecaptchaField
from flask_wtf.csrf import generate_csrf, validate_csrf
from flask_wtf.file import FileField, FileRequired, FileAllowed, FileSize
from flask_wtf.recaptcha import Recaptcha, RecaptchaWidgetBasic Usage
from flask import Flask, render_template, request, redirect
from flask_wtf import FlaskForm, CSRFProtect
from wtforms import StringField, SubmitField
from wtforms.validators import DataRequired
app = Flask(__name__)
app.config['SECRET_KEY'] = 'your-secret-key'
# Enable CSRF protection globally
csrf = CSRFProtect(app)
class MyForm(FlaskForm):
name = StringField('Name', validators=[DataRequired()])
submit = SubmitField('Submit')
@app.route('/', methods=['GET', 'POST'])
def index():
form = MyForm()
if form.validate_on_submit():
name = form.name.data
return f'Hello {name}!'
return render_template('form.html', form=form)
# Template (form.html)
# <form method="POST">
# {{ form.hidden_tag() }} <!-- Includes CSRF token -->
# {{ form.name.label }} {{ form.name() }}
# {{ form.submit() }}
# </form>Architecture
Flask-WTF extends WTForms with Flask-specific integrations:
- Form Integration: FlaskForm automatically binds to Flask request data and provides CSRF protection
- CSRF Protection: Session-based token generation and validation with automatic request processing
- File Handling: Werkzeug-aware file fields with built-in validation capabilities
- Request Context: Seamless integration with Flask's application and request contexts
- Template Integration: Automatic CSRF token injection into Jinja2 templates
Capabilities
CSRF Protection
Comprehensive Cross-Site Request Forgery protection with automatic token generation, validation, and Flask request integration. Provides both global application protection and manual token handling for custom scenarios.
class CSRFProtect:
"""Enable CSRF protection globally for a Flask app."""
def __init__(self, app=None): ...
def init_app(self, app): ...
def exempt(self, view): ...
def protect(self): ...
def generate_csrf(secret_key: str = None, token_key: str = None) -> str:
"""Generate a CSRF token. The token is cached for a request."""
def validate_csrf(data: str, secret_key: str = None, time_limit: int = None, token_key: str = None):
"""Validate a CSRF token."""Form Handling
Flask-integrated form processing with automatic request data binding, validation, and CSRF token management. Provides enhanced form capabilities beyond basic WTForms functionality.
class FlaskForm(Form):
"""Flask-specific subclass of WTForms Form with CSRF protection."""
def __init__(self, formdata=_Auto, **kwargs): ...
def is_submitted(self) -> bool:
"""Consider the form submitted if method is POST, PUT, PATCH, or DELETE."""
def validate_on_submit(self, extra_validators=None) -> bool:
"""Call validate() only if the form is submitted."""
def hidden_tag(self, *fields):
"""Render the form's hidden fields in one call."""
# Re-exported from WTForms for convenience
Form = wtforms.Form # Base WTForms Form classFile Upload
Secure file upload handling with Werkzeug integration, providing specialized file fields and comprehensive validation including file type restrictions, size limits, and presence checking.
class FileField:
"""Werkzeug-aware file upload field."""
def process_formdata(self, valuelist): ...
class MultipleFileField:
"""Multiple file upload field (added in v1.2.0)."""
def process_formdata(self, valuelist): ...
class FileRequired:
"""Validates that uploaded file(s) are present."""
def __init__(self, message=None): ...
class FileAllowed:
"""Validates that uploaded file(s) have allowed extensions."""
def __init__(self, upload_set, message=None): ...
class FileSize:
"""Validates that uploaded file(s) are within size limits."""
def __init__(self, max_size: int, min_size: int = 0, message=None): ...
# Convenience aliases
file_required = FileRequired
file_allowed = FileAllowed
file_size = FileSizereCAPTCHA Integration
Complete Google reCAPTCHA integration with form fields, validation, and widget rendering. Provides bot protection for forms with configurable reCAPTCHA parameters and error handling.
class RecaptchaField(Field):
"""ReCAPTCHA form field with automatic validation."""
def __init__(self, label="", validators=None, **kwargs): ...
class Recaptcha:
"""Validates a ReCAPTCHA response."""
def __init__(self, message=None): ...
def __call__(self, form, field): ...
class RecaptchaWidget:
"""Widget for rendering ReCAPTCHA HTML."""
def recaptcha_html(self, public_key: str): ...Core Types
class CSRFError(Exception):
"""CSRF validation error exception (inherits from werkzeug.exceptions.BadRequest)"""
description: str = "CSRF validation failed."
# Form validation status indicator
_Auto: object # Internal marker for automatic formdata bindingConfiguration
Flask-WTF uses Flask's configuration system. Key configuration options:
CSRF Settings
WTF_CSRF_ENABLED(bool): Enable/disable CSRF protection (default: True)WTF_CSRF_SECRET_KEY(str): Secret key for CSRF tokens (defaults to app.secret_key)WTF_CSRF_TIME_LIMIT(int): Token expiration in seconds (default: 3600)WTF_CSRF_FIELD_NAME(str): CSRF token field name (default: "csrf_token")
reCAPTCHA Settings
RECAPTCHA_PUBLIC_KEY(str): reCAPTCHA site key (required)RECAPTCHA_PRIVATE_KEY(str): reCAPTCHA secret key (required)
Internationalization
WTF_I18N_ENABLED(bool): Enable/disable i18n support (default: True)