Flask-WTF Changelog

Version 0.14.2

Released 2017-01-10

  • Fix bug where FlaskForm assumed meta argument was not None if it was passed. (#278)

Version 0.14.1

Released 2017-01-10

  • Fix bug where the file validators would incorrectly identify an empty file as valid data. (#276, #277)

    • FileField is no longer deprecated. The data is checked during processing and only set if it's a valid file.
    • has_file is deprecated; it's now equivalent to bool(field.data).
    • FileRequired and FileAllowed work with both the Flask-WTF and WTForms FileField classes.
    • The Optional validator now works with FileField.

Version 0.14

Released 2017-01-06

  • Use itsdangerous to sign CSRF tokens and check expiration instead of doing it ourselves. (#264)

    • All tokens are URL safe, removing the url_safe parameter from generate_csrf. (#206)
    • All tokens store a timestamp, which is checked in validate_csrf. The time_limit parameter of generate_csrf is removed.
  • Remove the app attribute from CsrfProtect, use current_app. (#264)

  • CsrfProtect protects the DELETE method by default. (#264)

  • The same CSRF token is generated for the lifetime of a request. It is exposed as request.csrf_token for use during testing. (#227, #264)

  • CsrfProtect.error_handler is deprecated. (#264)

    • Handlers that return a response work in addition to those that raise an error. The behavior was not clear in previous docs.
    • (#200, #209, #243, #252)
  • Use Form.Meta instead of deprecated SecureForm for CSRF (and everything else). (#216, #271)

    • csrf_enabled parameter is still recognized but deprecated. All other attributes and methods from SecureForm are removed. (#271)
  • Provide WTF_CSRF_FIELD_NAME to configure the name of the CSRF token. (#271)

  • validate_csrf raises wtforms.ValidationError with specific messages instead of returning True or False. This breaks anything that was calling the method directly. (#239, #271)

    • CSRF errors are logged as well as raised. (#239)
  • CsrfProtect is renamed to CSRFProtect. A deprecation warning is issued when using the old name. CsrfError is renamed to CSRFError without deprecation. (#271)

  • FileField is deprecated because it no longer provides functionality over the provided validators. Use wtforms.FileField directly. (#272)

Version 0.13.1

Released 2016/10/6

  • Deprecation warning for Form is shown during __init__ instead of immediately when subclassing. (#262)
  • Don't use pkg_resources to get version, for compatibility with GAE. (#261)

Version 0.13

Released 2016/09/29

  • Form is renamed to FlaskForm in order to avoid name collision with WTForms's base class. Using Form will show a deprecation warning. (#250)
  • hidden_tag no longer wraps the hidden inputs in a hidden div. This is valid HTML5 and any modern HTML parser will behave correctly. (#217, #193)
  • flask_wtf.html5 is deprecated. Import directly from wtforms.fields.html5. (#251)
  • is_submitted is true for PATCH and DELETE in addition to POST and PUT. (#187)
  • generate_csrf takes a token_key parameter to specify the key stored in the session. (#206)
  • generate_csrf takes a url_safe parameter to allow the token to be used in URLs. (#206)
  • form.data can be accessed multiple times without raising an exception. (#248)
  • File extension with multiple parts (.tar.gz) can be used in the FileAllowed validator. (#201)

Version 0.12

Released 2015/07/09

  • Abstract protect_csrf() into a separate method
  • Update reCAPTCHA configuration
  • Fix reCAPTCHA error handle

Version 0.11

Released 2015/01/21

  • Use the new reCAPTCHA API via #164.

Version 0.10.3

Released 2014/11/16

  • Add configuration: WTF_CSRF_HEADERS via #159.
  • Support customize hidden tags via #150.
  • And many more bug fixes

Version 0.10.2

Released 2014/09/03

  • Update translation for reCaptcha via #146.

Version 0.10.1

Released 2014/08/26

  • Update RECAPTCHA API SERVER URL via #145.
  • Update requirement Werkzeug>=0.9.5
  • Fix CsrfProtect exempt for blueprints via #143.

Version 0.10.0

Released 2014/07/16

  • Add configuration: WTF_CSRF_METHODS
  • Support WTForms 2.0 now
  • Fix csrf validation without time limit (time_limit=False)
  • CSRF exempt supports blueprint #111.

Version 0.9.5

Released 2014/03/21

  • csrf_token for all template types #112.
  • Make FileRequired a subclass of InputRequired #108.

Version 0.9.4

Released 2013/12/20

  • Bugfix for csrf module when form has a prefix
  • Compatible support for wtforms2
  • Remove file API for FileField

Version 0.9.3

Released 2013/10/02

  • Fix validation of recaptcha when app in testing mode #89.
  • Bugfix for csrf module #91

Version 0.9.2

Released 2013/9/11

  • Upgrade wtforms to 1.0.5.
  • No lazy string for i18n #77.
  • No DateInput widget in html5 #81.
  • PUT and PATCH for CSRF #86.

Version 0.9.1

Released 2013/8/21

This is a patch version for backward compitable for Flask<0.10 #82.

Version 0.9.0

Released 2013/8/15

  • Add i18n support (issue #65)
  • Use default html5 widgets and fields provided by wtforms
  • Python 3.3+ support
  • Redesign form, replace SessionSecureForm
  • CSRF protection solution
  • Drop wtforms imports
  • Fix recaptcha i18n support
  • Fix recaptcha validator for python 3
  • More test cases, it's 90%+ coverage now
  • Redesign documentation

Version 0.8.4

Released 2013/3/28

  • Recaptcha Validator now returns provided message (issue #66)
  • Minor doc fixes
  • Fixed issue with tests barking because of nose/multiprocessing issue.

Version 0.8.3

Released 2013/3/13

  • Update documentation to indicate pending deprecation of WTForms namespace facade
  • PEP8 fixes (issue #64)
  • Fix Recaptcha widget (issue #49)

Version 0.8.2 and prior

Initial development by Dan Jacob and Ron Duplain. 0.8.2 and prior there was not a change log.