Add support to customize hidden tag.

Or some apps enabled CSP will be blocked because of the inline style. Issue #149
pallets-eco · Sep 23, 2014 · f605eae · f605eae
1 parent 9c1991a
commit f605eae
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 18 deletions.
diff --git a/docs/config.rst b/docs/config.rst
@@ -9,21 +9,25 @@ Forms and CSRF
 The full list of configuration for Flask-WTF. Usually, you don't need
 to configure any of them. It just works.
 
-=================== ===============================================
-WTF_CSRF_ENABLED    Disable/enable CSRF protection for forms.
-                    Default is True.
-WTF_I18N_ENABLED    Disable/enable I18N support. This should work
-                    together with Flask-Babel. Default is True.
-WTF_CSRF_SECRET_KEY A random string for generating CSRF token.
-                    Default is the same as SECRET_KEY.
-WTF_CSRF_TIME_LIMIT CSRF token expiring time. Default is **3600**
-                    seconds.
-WTF_CSRF_SSL_STRICT Strictly protection on SSL. This will check
-                    the referrer, validate if it is from the same
-                    origin. Default is True.
-WTF_CSRF_METHODS    CSRF protection on these request methods.
-                    Default is **['POST', 'PUT', 'PATCH']**
-=================== ===============================================
+==================== ===============================================
+WTF_CSRF_ENABLED     Disable/enable CSRF protection for forms.
+                     Default is True.
+WTF_I18N_ENABLED     Disable/enable I18N support. This should work
+                     together with Flask-Babel. Default is True.
+WTF_CSRF_SECRET_KEY  A random string for generating CSRF token.
+                     Default is the same as SECRET_KEY.
+WTF_CSRF_TIME_LIMIT  CSRF token expiring time. Default is **3600**
+                     seconds.
+WTF_CSRF_SSL_STRICT  Strictly protection on SSL. This will check
+                     the referrer, validate if it is from the same
+                     origin. Default is True.
+WTF_CSRF_METHODS     CSRF protection on these request methods.
+                     Default is **['POST', 'PUT', 'PATCH']**
+WTF_HIDDEN_TAG       HTML tag name of the hidden tag wrapper.
+                     Default is **div**
+WTF_HIDDEN_TAG_ATTRS HTML tag attributes of the hidden tag wrapper.
+                     Default is **{'style': 'display:none;'}**
+==================== ===============================================
 
 
 Recaptcha

diff --git a/flask_wtf/form.py b/flask_wtf/form.py
@@ -2,7 +2,7 @@
 
 import werkzeug.datastructures
 
-from jinja2 import Markup
+from jinja2 import Markup, escape
 from flask import request, session, current_app
 from wtforms.fields import HiddenField
 from wtforms.widgets import HiddenInput
@@ -57,6 +57,7 @@ class Form(SecureForm):
                          csrf behavior is suppressed.
                          Default: WTF_CSRF_ENABLED config value
     """
+
     SECRET_KEY = None
     TIME_LIMIT = None
 
@@ -139,12 +140,21 @@ def hidden_tag(self, *fields):
         if not fields:
             fields = [f for f in self if _is_hidden(f)]
 
-        rv = [u'<div style="display:none;">']
+        name = current_app.config.get('WTF_HIDDEN_TAG', 'div')
+        attrs = current_app.config.get(
+            'WTF_HIDDEN_TAG_ATTRS', {'style': 'display:none;'})
+
+        tag_attrs = u' '.join(
+            u'%s="%s"' % (escape(k), escape(v)) for k, v in attrs.items())
+        tag_start = u'<%s %s>' % (escape(name), tag_attrs)
+        tag_end = u'</%s>' % escape(name)
+
+        rv = [tag_start]
         for field in fields:
             if isinstance(field, string_types):
                 field = getattr(self, field)
             rv.append(text_type(field))
-        rv.append(u"</div>")
+        rv.append(tag_end)
 
         return Markup(u"".join(rv))