flask-WTForms 的预期行为?
Expected behavior of flask-WTForms?
我刚开始使用 Flask 并试图制作一个登录表单,但是 flask-wtf/WTForm 似乎在实例化响应表单时以某种方式丢失了密码字段。
我的表单看起来像这样
from flask_wtf import Form
from wtforms import StringField, PasswordField
from wtforms.validators import DataRequired
class LoginForm(Form):
name = StringField('name', validators=[DataRequired()])
password = PasswordField('password', validators=[DataRequired()])
def validate_password(self, field):
print "password field is {}".format(field)
视图看起来像这样:
@app.route('/login', methods=['GET', 'POST'])
def login():
form = LoginForm(request.form)
if form.validate_on_submit():
print "** new request"
print "request.values = {}".format(request.values)
print "request.form = {}".format(request.form)
print "form.name = {}".format(form.name)
print "form.password = {}".format(form.password)
print "form.csrf_token = {}".format(form.csrf_token)
# do stuff with form.name and form.password and then render_template as appropiate
return render_template('login.html', form=form)
当客户端发布登录表单时,程序打印如下:
password field is <input id="password" name="password" type="password" value=""> # <-- value is empty!
** new request
request.values = CombinedMultiDict([ImmutableMultiDict([]), ImmutableMultiDict([('csrf_token', u'1444574310##420f08dc670febba20d0a4dfd9085e5f6ad4dded'), ('password', u'hemlis'), ('name', u'kalle')])])
request.form = ImmutableMultiDict([('csrf_token', u'1444574310##420f08dc670febba20d0a4dfd9085e5f6ad4dded'), ('password', u'hemlis'), ('name', u'kalle')])
form.name = <input id="name" name="name" type="text" value="kalle">
form.password = <input id="password" name="password" type="password" value=""> # <-- value is empty!
form.csrf_token = <input id="csrf_token" name="csrf_token" type="hidden" value="1444574315##24eca44ce86f86523ddf9d138f07fc306ed77a96">
密码字段的值丢失,即使它设法获取名称和 csrf_token 的值也是如此。如果我将密码字段的类型更改为 StringField,密码值将按预期由表单获取,但这不是一个令人满意的解决方法! :-)
为了安全起见,我是否应该在这里做更多的事情来获取密码字段,或者这是某个地方的错误?
此外,这是我的 requirement.txt
bcrypt==2.0.0
BeautifulSoup==3.2.1
blinker==1.4
cffi==1.2.1
Flask==0.10.1
Flask-Login==0.3.2
Flask-Mail==0.9.1
Flask-Principal==0.4.0
Flask-WTF==0.12
itsdangerous==0.24
Jinja2==2.8
Markdown==2.6.2
MarkupSafe==0.23
micawber==0.3.3
passlib==1.6.5
peewee==2.6.4
pycparser==2.14
six==1.10.0
Werkzeug==0.10.4
wheel==0.24.0
WTForms==2.0.2
当您请求 form.password 时,您实际上是在请求该对象的 HTML 表示,根据 PasswordField 包括先前输入的数据 HTML 元素将是一个非常糟糕的安全漏洞,因为只需查看 HTML 源代码即可查看密码(在本地,或者更可能是有人通过共享的不安全 wifi 网络进行监控)
要查看提交的表单元素中包含的数据,请使用 .data 属性,例如 form.password.data.
我刚开始使用 Flask 并试图制作一个登录表单,但是 flask-wtf/WTForm 似乎在实例化响应表单时以某种方式丢失了密码字段。 我的表单看起来像这样
from flask_wtf import Form
from wtforms import StringField, PasswordField
from wtforms.validators import DataRequired
class LoginForm(Form):
name = StringField('name', validators=[DataRequired()])
password = PasswordField('password', validators=[DataRequired()])
def validate_password(self, field):
print "password field is {}".format(field)
视图看起来像这样:
@app.route('/login', methods=['GET', 'POST'])
def login():
form = LoginForm(request.form)
if form.validate_on_submit():
print "** new request"
print "request.values = {}".format(request.values)
print "request.form = {}".format(request.form)
print "form.name = {}".format(form.name)
print "form.password = {}".format(form.password)
print "form.csrf_token = {}".format(form.csrf_token)
# do stuff with form.name and form.password and then render_template as appropiate
return render_template('login.html', form=form)
当客户端发布登录表单时,程序打印如下:
password field is <input id="password" name="password" type="password" value=""> # <-- value is empty!
** new request
request.values = CombinedMultiDict([ImmutableMultiDict([]), ImmutableMultiDict([('csrf_token', u'1444574310##420f08dc670febba20d0a4dfd9085e5f6ad4dded'), ('password', u'hemlis'), ('name', u'kalle')])])
request.form = ImmutableMultiDict([('csrf_token', u'1444574310##420f08dc670febba20d0a4dfd9085e5f6ad4dded'), ('password', u'hemlis'), ('name', u'kalle')])
form.name = <input id="name" name="name" type="text" value="kalle">
form.password = <input id="password" name="password" type="password" value=""> # <-- value is empty!
form.csrf_token = <input id="csrf_token" name="csrf_token" type="hidden" value="1444574315##24eca44ce86f86523ddf9d138f07fc306ed77a96">
密码字段的值丢失,即使它设法获取名称和 csrf_token 的值也是如此。如果我将密码字段的类型更改为 StringField,密码值将按预期由表单获取,但这不是一个令人满意的解决方法! :-)
为了安全起见,我是否应该在这里做更多的事情来获取密码字段,或者这是某个地方的错误?
此外,这是我的 requirement.txt
bcrypt==2.0.0
BeautifulSoup==3.2.1
blinker==1.4
cffi==1.2.1
Flask==0.10.1
Flask-Login==0.3.2
Flask-Mail==0.9.1
Flask-Principal==0.4.0
Flask-WTF==0.12
itsdangerous==0.24
Jinja2==2.8
Markdown==2.6.2
MarkupSafe==0.23
micawber==0.3.3
passlib==1.6.5
peewee==2.6.4
pycparser==2.14
six==1.10.0
Werkzeug==0.10.4
wheel==0.24.0
WTForms==2.0.2
当您请求 form.password 时,您实际上是在请求该对象的 HTML 表示,根据 PasswordField 包括先前输入的数据 HTML 元素将是一个非常糟糕的安全漏洞,因为只需查看 HTML 源代码即可查看密码(在本地,或者更可能是有人通过共享的不安全 wifi 网络进行监控)
要查看提交的表单元素中包含的数据,请使用 .data 属性,例如 form.password.data.