Flask-wtf

--------------

Released 2017-01-10

- Fix bug where the file validators would incorrectly identify an
empty file as valid data. :issue:`276`, :pr:`277`

- ``FileField`` is no longer deprecated. The data is checked
during processing and only set if it's a valid file.
- ``has_file`` *is* deprecated; it's now equivalent to
``bool(field.data)``.
- ``FileRequired`` and ``FileAllowed`` work with both the
Flask-WTF and WTForms ``FileField`` classes.
- The ``Optional`` validator now works with ``FileField``.

------------

Released 2017-01-06

- Use ItsDangerous to sign CSRF tokens and check expiration instead of
doing it ourselves. :issue:`264`

- All tokens are URL safe, removing the ``url_safe`` parameter
from ``generate_csrf``. :issue:`206`
- All tokens store a timestamp, which is checked in
``validate_csrf``. The ``time_limit`` parameter of
``generate_csrf`` is removed.

- Remove the ``app`` attribute from ``CsrfProtect``, use
``current_app``. :issue:`264`
- ``CsrfProtect`` protects the ``DELETE`` method by default.
:issue:`264`
- The same CSRF token is generated for the lifetime of a request. It
is exposed as ``g.csrf_token`` for use during testing.
:issue:`227, 264`
- ``CsrfProtect.error_handler`` is deprecated. :issue:`264`

- Handlers that return a response work in addition to those that
raise an error. The behavior was not clear in previous docs.
- :issue:`200, 209, 243, 252`

- Use ``Form.Meta`` instead of deprecated ``SecureForm`` for CSRF (and
everything else). :issue:`216, 271`

- ``csrf_enabled`` parameter is still recognized but deprecated.
All other attributes and methods from ``SecureForm`` are
removed. :issue:`271`

- Provide ``WTF_CSRF_FIELD_NAME`` to configure the name of the CSRF
token. :issue:`271`
- ``validate_csrf`` raises ``wtforms.ValidationError`` with specific
messages instead of returning ``True`` or ``False``. This breaks
anything that was calling the method directly. :issue:`239, 271`

- CSRF errors are logged as well as raised. :issue:`239`

- ``CsrfProtect`` is renamed to ``CSRFProtect``. A deprecation warning
is issued when using the old name. ``CsrfError`` is renamed to
``CSRFError`` without deprecation. :issue:`271`
- ``FileField`` is deprecated because it no longer provides
functionality over the provided validators. Use
``wtforms.FileField`` directly. :issue:`272`

--------------

Released 2016-10-6

- Deprecation warning for ``Form`` is shown during ``__init__``
instead of immediately when subclassing. :issue:`262`
- Don't use ``pkg_resources`` to get version, for compatibility with
GAE. :issue:`261`

------------

Released 2016-09-29

- ``Form`` is renamed to ``FlaskForm`` in order to avoid name
collision with WTForms's base class. Using ``Form`` will show a
deprecation warning. :issue:`250`
- ``hidden_tag`` no longer wraps the hidden inputs in a hidden div.
This is valid HTML5 and any modern HTML parser will behave
correctly. :issue:`193, 217`
- ``flask_wtf.html5`` is deprecated. Import directly from
``wtforms.fields.html5``. :issue:`251`
- ``is_submitted`` is true for ``PATCH`` and ``DELETE`` in addition to
``POST`` and ``PUT``. :issue:`187`
- ``generate_csrf`` takes a ``token_key`` parameter to specify the key
stored in the session. :issue:`206`
- ``generate_csrf`` takes a ``url_safe`` parameter to allow the token
to be used in URLs. :issue:`206`
- ``form.data`` can be accessed multiple times without raising an
exception. :issue:`248`
- File extension with multiple parts (``.tar.gz``) can be used in the
``FileAllowed`` validator. :issue:`201`

------------

Released 2015-07-09

- Abstract ``protect_csrf()`` into a separate method.
- Update reCAPTCHA configuration.
- Fix reCAPTCHA error handle.

------------

Released 2015-01-21

- Use the new reCAPTCHA API. :pr:`164`