Why use WTForms instead of just posting with HTML

I could say CSRF protection is one of the greatest reasons, but there are a lot of reasons why one would use WTFroms over plain HTML forms.

  • CSRF protection out of the box
  • Form validation out the box
  • WTForms come as classes, so all the good come's from an object form.

basically, if your project has a lot of form's looking the same with minor differences, WTForms would be of great help.

and then you have validations out of the box, you use a simple validation for Email and all other kind's of data, and they are there, no need to bother with writing your own validators and keep maintaining them.

CSRF is one of the owasp top 10 attacks[1], so providing good protection over this is really important.

WTForms are really useful it does a lot of heavy lifting for you when it comes to data validation on top of the CSRF protection. Another useful thing is the use combined with Jinja2 where you need to write less code to render the form.

Note: Jinja2 is one of the most used template engines for Python.

for example, When using a FlaskForm, rendering the form's CSRF field woudl be like this.

<form method="post">
    {{ form.csrf_token }}

But If the template doesn't use a FlaskForm, you need to render a hidden input with the token in the form.

<form method="post">
    <input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>

In a way, it's less code.