WTForms

3.2.1 · active · verified Sun Apr 05

WTForms is a flexible forms validation and rendering library for Python web development, providing tools for data validation, CSRF protection, and internationalization. It is designed to be framework-agnostic, working with various web frameworks and template engines. It is actively maintained with regular releases.

Warnings

breaking The `wtforms.ext.*` modules were completely removed in WTForms 3.0. These extensions (e.g., `wtforms.ext.sqlalchemy`, `wtforms.ext.appengine`, `wtforms.ext.csrf`) are now maintained as separate, independent packages (e.g., `WTForms-SQLAlchemy`, `WTForms-Appengine`, `Flask-WTF` for Flask integration with CSRF built-in).
Fix: Migrate to the equivalent standalone library for any removed `wtforms.ext.*` functionality. For example, `wtforms.ext.sqlalchemy` becomes `wtforms_sqlalchemy`.
breaking The `wtforms.validators.Required` validator was renamed to `wtforms.validators.DataRequired` in WTForms 2.0 to clarify its behavior (checks for non-empty data).
Fix: Update imports and usage from `Required` to `DataRequired`.
breaking The `TextField` alias for `StringField` was deprecated in WTForms 2.x and removed in 3.x.
Fix: Replace all instances of `TextField` with `StringField`.
breaking In WTForms 3.2.0, the key used for form-level errors (not specific to a field) moved from `None` to an empty string `""`.
Fix: When accessing form errors, check `form.errors.get('')` instead of `form.errors.get(None)`. If you need to revert to the old behavior, you can set `_form_error_key=None` on your form class.
gotcha WTForms provides the `FileField` for file input but does not handle the actual file upload storage or processing. This is typically managed by the underlying web framework (e.g., Flask's `request.files`, Django's `request.FILES`).
Fix: Implement file handling logic separately in your application's view functions, utilizing your web framework's capabilities for processing uploaded files after WTForms validates the field's presence/metadata.
gotcha WTForms handles CSRF protection directly within the core library since version 2.0, moving it out of `wtforms.ext.csrf`. If integrating with frameworks like Flask, companion libraries such as `Flask-WTF` often provide a more streamlined, automated CSRF implementation.
Fix: For basic usage, ensure your form includes a `CSRFTokenField` and your template renders it. If using a framework-specific integration, consult its documentation (e.g., `Flask-WTF` automatically handles this if `SECRET_KEY` is set).

Install

pip install WTForms Install latest version

Imports

Form
```
from wtforms import Form
```
StringField
```
from wtforms import StringField
```
TextField was an alias for StringField, deprecated in WTForms 2.x and removed in 3.x. Use StringField instead.
SubmitField
```
from wtforms import SubmitField
```
validators
```
from wtforms import validators
```
DataRequired
```
from wtforms.validators import DataRequired
```
Required was renamed to DataRequired in WTForms 2.x.

Quickstart

Defines a simple login form with username, password, and submit fields, including basic length and data required validators. It then demonstrates instantiating the form with mock data and performing validation. For web frameworks, you would typically pass `request.form` or `request.json` to the form constructor.

from wtforms import Form, StringField, PasswordField, validators, SubmitField

class LoginForm(Form):
    username = StringField('Username', [validators.Length(min=4, max=25), validators.DataRequired()])
    password = PasswordField('Password', [validators.DataRequired(), validators.Length(min=8)])
    submit = SubmitField('Sign In')

# Example usage (simulating a request)
if __name__ == '__main__':
    # Simulate form data from a POST request
    mock_form_data = {
        'username': 'testuser',
        'password': 'securepassword',
        'submit': 'Sign In'
    }

    form = LoginForm(data=mock_form_data)

    if form.validate():
        print(f"Form validated successfully for user: {form.username.data}")
        # In a real application, you'd process the data here
    else:
        print("Form validation failed:")
        for field, errors in form.errors.items():
            for error in errors:
                print(f"  {field}: {error}")

    # Example with invalid data
    invalid_form_data = {
        'username': 'abc',
        'password': 'short',
        'submit': 'Sign In'
    }
    invalid_form = LoginForm(data=invalid_form_data)

    if not invalid_form.validate():
        print("\nInvalid form submitted:")
        for field, errors in invalid_form.errors.items():
            for error in errors:
                print(f"  {field}: {error}")

view raw JSON →