jinjalint-form-missing-csrf-protection

tl;dr Flask apps using Flask-WTF require including a CSRF token in the HTML template itself. This check detects missing CSRF protection in HTML forms in Jinja templates.

Description

Flask-WTF documentation states that forms must render the CSRF token in the template. It is highly recommended that all forms are protected with CSRF tokens.

<form method="post">
    {{ form.csrf_token }}
</form>
<form method="post">
    <input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>
</form>

This is easy to forget. jinjalint-form-missing-csrf-protection will detect forms that are missing either of the above CSRF tokens.

<html>
    <body>
        <form method="post">
            <input name="foo" value="bar"/>
        </form>
    </body>
</html>

The check will consider the following case acceptable.

<html>
    <body>
        <form method="post">
            <input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>
        </form>
    </body>
</html>

<html>
    <body>
        <form method="post">
            {{ form.csrf_token }}
        </form>
    </body>
</html>

References