Changes

Version 1.0.1

Released 2022-03-31

  • Update compatibility with the latest Werkzeug release. #511

Version 1.0.0

Released 2021-11-07

Version 0.15.1

Released 2021-05-25

  • Add python_requires metadata to avoid installing on unsupported Python versions. #442

Version 0.15.0

Released 2021-05-24

Version 0.14.3

Released 2020-02-06

  • Fix deprecated imports from werkzeug and collections.

Version 0.14.2

Released 2017-01-10

  • Fix bug where FlaskForm assumed meta argument was not None if it was passed. #278

Version 0.14.1

Released 2017-01-10

  • Fix bug where the file validators would incorrectly identify an empty file as valid data. #276, #277

    • FileField is no longer deprecated. The data is checked during processing and only set if it’s a valid file.

    • has_file is deprecated; it’s now equivalent to bool(field.data).

    • FileRequired and FileAllowed work with both the Flask-WTF and WTForms FileField classes.

    • The Optional validator now works with FileField.

Version 0.14

Released 2017-01-06

  • Use ItsDangerous to sign CSRF tokens and check expiration instead of doing it ourselves. #264

    • All tokens are URL safe, removing the url_safe parameter from generate_csrf. #206

    • All tokens store a timestamp, which is checked in validate_csrf. The time_limit parameter of generate_csrf is removed.

  • Remove the app attribute from CsrfProtect, use current_app. #264

  • CsrfProtect protects the DELETE method by default. #264

  • The same CSRF token is generated for the lifetime of a request. It is exposed as g.csrf_token for use during testing. #227, #264

  • CsrfProtect.error_handler is deprecated. #264

    • Handlers that return a response work in addition to those that raise an error. The behavior was not clear in previous docs.

    • #200, #209, #243, #252

  • Use Form.Meta instead of deprecated SecureForm for CSRF (and everything else). #216, #271

    • csrf_enabled parameter is still recognized but deprecated. All other attributes and methods from SecureForm are removed. #271

  • Provide WTF_CSRF_FIELD_NAME to configure the name of the CSRF token. #271

  • validate_csrf raises wtforms.ValidationError with specific messages instead of returning True or False. This breaks anything that was calling the method directly. #239, #271

    • CSRF errors are logged as well as raised. #239

  • CsrfProtect is renamed to CSRFProtect. A deprecation warning is issued when using the old name. CsrfError is renamed to CSRFError without deprecation. #271

  • FileField is deprecated because it no longer provides functionality over the provided validators. Use wtforms.FileField directly. #272

Version 0.13.1

Released 2016-10-6

  • Deprecation warning for Form is shown during __init__ instead of immediately when subclassing. #262

  • Don’t use pkg_resources to get version, for compatibility with GAE. #261

Version 0.13

Released 2016-09-29

  • Form is renamed to FlaskForm in order to avoid name collision with WTForms’s base class. Using Form will show a deprecation warning. #250

  • hidden_tag no longer wraps the hidden inputs in a hidden div. This is valid HTML5 and any modern HTML parser will behave correctly. #193, #217

  • flask_wtf.html5 is deprecated. Import directly from wtforms.fields.html5. #251

  • is_submitted is true for PATCH and DELETE in addition to POST and PUT. #187

  • generate_csrf takes a token_key parameter to specify the key stored in the session. #206

  • generate_csrf takes a url_safe parameter to allow the token to be used in URLs. #206

  • form.data can be accessed multiple times without raising an exception. #248

  • File extension with multiple parts (.tar.gz) can be used in the FileAllowed validator. #201

Version 0.12

Released 2015-07-09

  • Abstract protect_csrf() into a separate method.

  • Update reCAPTCHA configuration.

  • Fix reCAPTCHA error handle.

Version 0.11

Released 2015-01-21

  • Use the new reCAPTCHA API. #164

Version 0.10.3

Released 2014-11-16

  • Add configuration: WTF_CSRF_HEADERS. #159

  • Support customize hidden tags. #150

  • And many more bug fixes.

Version 0.10.2

Released 2014-09-03

  • Update translation for reCaptcha. #146

Version 0.10.1

Released 2014-08-26

  • Update RECAPTCHA_API_SERVER_URL. #145

  • Update requirement Werkzeug >= 0.9.5.

  • Fix CsrfProtect exempt for blueprints. #143

Version 0.10.0

Released 2014-07-16

  • Add configuration: WTF_CSRF_METHODS.

  • Support WTForms 2.0 now.

  • Fix CSRF validation without time limit (time_limit=False).

  • csrf_exempt supports blueprint. #111

Version 0.9.5

Released 2014-03-21

  • csrf_token for all template types. #112

  • Make FileRequired a subclass of InputRequired. #108

Version 0.9.4

Released 2013-12-20

  • Bugfix for csrf module when form has a prefix.

  • Compatible support for WTForms 2.

  • Remove file API for FileField

Version 0.9.3

Released 2013-10-02

  • Fix validation of recaptcha when app in testing mode. #89

  • Bugfix for csrf module. #91

Version 0.9.2

Released 2013-09-11

  • Upgrade WTForms to 1.0.5.

  • No lazy string for i18n. #77

  • No DateInput widget in HTML5. #81

  • PUT and PATCH for CSRF. #86

Version 0.9.1

Released 2013-08-21

  • Compatibility with Flask < 0.10. #82

Version 0.9.0

Released 2013-08-15

  • Add i18n support. #65

  • Use default HTML5 widgets and fields provided by WTForms.

  • Python 3.3+ support.

  • Redesign form, replace SessionSecureForm.

  • CSRF protection solution.

  • Drop WTForms imports.

  • Fix recaptcha i18n support.

  • Fix recaptcha validator for Python 3.

  • More test cases, it’s 90%+ coverage now.

  • Redesign documentation.

Version 0.8.4

Released 2013-03-28

  • Recaptcha Validator now returns provided message. #66

  • Minor doc fixes.

  • Fixed issue with tests barking because of nose/multiprocessing issue.

Version 0.8.3

Released 2013-03-13

  • Update documentation to indicate pending deprecation of WTForms namespace facade.

  • PEP8 fixes. #64

  • Fix Recaptcha widget. #49

Version 0.8.2 and prior

Initial development by Dan Jacob and Ron Duplain.