Jinja check: Missing CSRF protection

Flask apps using Flask-WTF require including a CSRF token in the HTML template itself. This check detects missing CSRF protection in HTML forms in Jinja templates.

Description

Flask-WTF documentation states that forms must render the CSRF token in the template. It is highly recommended that all forms are protected with CSRF tokens.

<form method="post">
  {{ form.csrf_token }}
</form>
<form method="post">
  <input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
</form>

This is easy to forget. jinjalint-form-missing-csrf-protection will detect forms that are missing either of the above CSRF tokens.

<html>
  <body>
    <form method="post">
      <input name="foo" value="bar" />
    </form>
  </body>
</html>

The check will consider the following case acceptable.

<html>
  <body>
    <form method="post">
      <input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
    </form>
  </body>
</html>

<html>
  <body>
    <form method="post">
      {{ form.csrf_token }}
    </form>
  </body>
</html>

References