Issue #1 new

Changes to hidden_tag break CSRF

Dan Jacob avatarDan Jacob created an issue

The changes to hidden_tag() break CSRF in unit tests.

However I'm trying to see how the addition of a _method field broke your form - could you please provide more detail here ?

Comments (3)

  1. David Baumgold

    Here is the form definition I was using:

    class DeleteForm(wtf.Form):
        method = wtf.HiddenField(default="DELETE")
        
        def __init__(self, *args, **kwargs):
            super(DeleteForm, self).__init__(*args, **kwargs)
            self.method.name = "_method"
    

    I was unable to get that form even to render until I modified hidden_tag. If there's a better way to get a hidden field with name="_method", please tell me.

  2. Log in to comment
Tip: Filter by directory path e.g. /media app.js to search for public/media/app.js.
Tip: Use camelCasing e.g. ProjME to search for ProjectModifiedEvent.java.
Tip: Filter by extension type e.g. /repo .js to search for all .js files in the /repo directory.
Tip: Separate your search with spaces e.g. /ssh pom.xml to search for src/ssh/pom.xml.
Tip: Use ↑ and ↓ arrow keys to navigate and return to view the file.
Tip: You can also navigate files with Ctrl+j (next) and Ctrl+k (previous) and view the file with Ctrl+o.
Tip: You can also navigate files with Alt+j (next) and Alt+k (previous) and view the file with Alt+o.