烧瓶-WTForms的预期行为?

时间:2015-10-11 14:02:33

标签: python flask wtforms flask-wtforms

我刚刚开始使用Flask,并且正在尝试创建一个登录表单,但是当实例化响应表单时,flask-wtf / WTForm似乎以某种方式丢失了密码字段。 我的表格看起来像这样

from flask_wtf import Form
from wtforms import StringField, PasswordField
from wtforms.validators import DataRequired

class LoginForm(Form):
    name = StringField('name', validators=[DataRequired()])
    password = PasswordField('password', validators=[DataRequired()])

    def validate_password(self, field):
        print "password field is {}".format(field)

视图看起来像这样:

@app.route('/login', methods=['GET', 'POST'])
def login():
    form = LoginForm(request.form)
    if form.validate_on_submit():
        print "** new request"
        print "request.values = {}".format(request.values)
        print "request.form = {}".format(request.form)
        print "form.name = {}".format(form.name)
        print "form.password = {}".format(form.password)
        print "form.csrf_token = {}".format(form.csrf_token)
        # do stuff with form.name and form.password and then render_template as appropiate
    return render_template('login.html', form=form)

当客户发布登录表单时,程序会打印出:

password field is <input id="password" name="password" type="password" value=""> # <-- value is empty!
** new request
request.values = CombinedMultiDict([ImmutableMultiDict([]),     ImmutableMultiDict([('csrf_token',   u'1444574310##420f08dc670febba20d0a4dfd9085e5f6ad4dded'), ('password', u'hemlis'), ('name', u'kalle')])])
request.form = ImmutableMultiDict([('csrf_token', u'1444574310##420f08dc670febba20d0a4dfd9085e5f6ad4dded'), ('password', u'hemlis'), ('name', u'kalle')])
form.name = <input id="name" name="name" type="text" value="kalle">
form.password = <input id="password" name="password" type="password" value=""> # <-- value is empty!
form.csrf_token = <input id="csrf_token" name="csrf_token" type="hidden" value="1444574315##24eca44ce86f86523ddf9d138f07fc306ed77a96">

即使密码字段设法获取name和csrf_token的值,也会丢失密码字段的值。如果我更改了类型,如果密码字段为StringField密码值被表单按预期获取,但这不是一个令人满意的解决方法! : - )

我应该在这里做些什么来获取密码字段,因为安全性,或者这是某个地方的错误?

另外,这是我的requirement.txt

bcrypt==2.0.0
BeautifulSoup==3.2.1
blinker==1.4
cffi==1.2.1
Flask==0.10.1
Flask-Login==0.3.2
Flask-Mail==0.9.1
Flask-Principal==0.4.0
Flask-WTF==0.12
itsdangerous==0.24
Jinja2==2.8
Markdown==2.6.2
MarkupSafe==0.23
micawber==0.3.3
passlib==1.6.5
peewee==2.6.4
pycparser==2.14
six==1.10.0
Werkzeug==0.10.4
wheel==0.24.0
WTForms==2.0.2

1 个答案:

答案 0 :(得分:2)

当您要求form.password实际上要求该对象的HTML表示时,就PasswordField而言,包括先前在该HTML元素中输入的数据将会非常糟糕安全漏洞可以通过查看HTML源代码来查看密码(在本地,或者更有可能通过共享的不安全的无线网络进行监控)

要查看已提交表单元素中包含的数据,请使用.data属性,例如form.password.data