-
-
Notifications
You must be signed in to change notification settings - Fork 309
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Exposure of the csrf_token
field value
#297
Comments
Is there any update on this issue? We are currently forced to pinning Flask-WTF to |
@slint We're still "manually" filtering out the CSRF token as needed. We would be happy to try and provide a pull request once time allows, but we've been waiting on feedback on whether or not this should be fixed in Flask-WTForms or WTForms. |
@fdanielsen You can leave a helper function here right now. In case anyone seeks the same problem. |
I've run into a tangentially related issue recently while updating old dependencies (including an old version of Here's what fixed it for us: from flask_superadmin import model
from flask_superadmin.model.backends.mongoengine.orm import data_to_document
class OurAdmin(model.ModelAdmin):
@classmethod
def _patch_form_populate_obj(cls, form):
# wtforms started returning csrf token as a part of the data as well,
# which we don't want to use when populating models
def new_populate_obj(form, obj):
data = {k: v for k, v in form.data.items() if k != 'csrf_token'}
data_to_document(obj, data)
return obj
form.populate_obj = new_populate_obj
return form
def get_form(self):
return self._patch_form_populate_obj(super().get_form()) Sorry, I know this isn't terribly relevant to |
@lepture Sorry for not getting back with an example fix for others. Reminded by @AlecRosenbaum's recent post, I'll share our class BaseFlaskForm(FlaskForm):
@property
def data(self):
return dict(
(name, f.data) for name, f in self._fields.items() if name != "csrf_token"
) |
Previously Flask-WTF stripped away the
csrf_token
field value when accessing the form data. But in 42befd0 this was removed.Is this intentional? Now a form will expose the token as part of the data, even though it's an implicit value not generally useful outside the form.
I realize it is WTForms that implements the general logic for supporting CSRF validation, so maybe this is viewed as the responsibility of WTForms in the same way that
form.populate_obj
explicitly avoids populating the CSRF field value on the object. Sadly WTForms has no such filtering when accessingform.data
, and the filtering in Flask-WTF was useful as it was.I'll raise an issue with WTForms if that's where you think this should be fixed.
The text was updated successfully, but these errors were encountered: