1. David Baumgold
  2. flask-wtf
  3. Issues
Issue #1 new

Changes to hidden_tag break CSRF

Dan Jacob
created an issue

The changes to hidden_tag() break CSRF in unit tests.

However I'm trying to see how the addition of a _method field broke your form - could you please provide more detail here ?

Comments (3)

  1. David Baumgold repo owner

    Here is the form definition I was using:

    class DeleteForm(wtf.Form):
        method = wtf.HiddenField(default="DELETE")
        
        def __init__(self, *args, **kwargs):
            super(DeleteForm, self).__init__(*args, **kwargs)
            self.method.name = "_method"
    

    I was unable to get that form even to render until I modified hidden_tag. If there's a better way to get a hidden field with name="_method", please tell me.

  2. Log in to comment