2

I'd like to create and fill out a Flask WTF-Form using only python code. However, the form doesn't automatically generate a CSRF token when I create it with python code. Is there any way to do this manually?

The form in question: 

from flask_wtf import Form
from wtforms import StringField
from wtforms.validators import DataRequired, URL

class URLForm(Form):
    url = StringField('url', validators=[DataRequired(), URL(), Level3Url()])

the code I use to generate the form:

from forms import URLForm
form = URLForm()
if 'url' in request.args:
    url = request.args.get('url')
    form.url.data = url
    if form.validate():
        ...
Improve this question

2 Answers 2

Reset to default
1

You'd be effectively disabling CSRF protection by generating and passing a token to the form locally. It's only effective when the user submits a previously generated token.

Since you're not using CSRF protection, disable it. You can also pass request.args as the source of data.

form = URLForm(request.args, csrf_enabled=False)

If you want to use CSRF for this form, then the form needs to send the csrf_token field, which can be rendered with {{ form.csrf_token }} or {{ form.hidden_tag() }}.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

In newest version of flask_wtf (0.14.2) you can disable csrf token in this way.

form = URLForm(request.args, meta={'csrf': False})
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.