Forms are the standard way users input or edit data in web applications. At the their lowest-level, forms are made up of HTML tags with special meaning. While you can directly add HTML form tags to Django templates or Jinja templates, you really want to avoid this and use Django's built-in form support to make form processing easier.

In this chapter you'll learn how to structure Django forms and the workflow forms undergo. You'll also learn the various field types and widgets supported by Django forms, how to validate form data and manage its errors, as well as how to layout forms and their errors in templates.

Once you have a firm understanding of the basics behind Django forms, you'll learn how to create custom form fields and widgets. Finally, you'll learn more complex Django form processing techniques, such as: partial form processing, form processing with AJAX, how to process files sent through Django forms and how to process multiple forms on the same page with Django formsets.

Django form structure and workflow

Django has a special forms package that offers a comprehensive way to work with forms. Among this package's features are the ability to define form functionality in a single location, data validation and tight integration with Django models, among other things. Let's take a first look at a standalone Django form class in listing 6-1 which is used to back a contact form.

Listing 6-1. Django form class definition

# in app named 'contact'
from django import forms

class ContactForm(forms.Form):
      name = forms.CharField(required=False)
      email = forms.EmailField(label='Your email')  
      comment = forms.CharField(widget=forms.Textarea)
Note There's no specific location Django expects forms to be in. You can equally place Django form classes in their own file inside an app (e.g. or place them inside other app files (e.g., You can later import Django form classes to where they're needed, just like Django views or Python packages.

The first important aspect to note in listing 6-1 is a Django form definition is a sub-class of the forms.Form class, so it automatically has all the base functionality of this parent class. Next, you can see the form class has three attributes, two of the type forms.CharField and one of the type forms.EmailField. These form field definitions restrict input to certain characteristics.

For example, forms.CharField indicates the input should be a set of characters and forms.EmailField indicates the input should be an email. In addition, you can see each form field includes properties (e.g.required) to further restrict the type of input. For the moment this should be enough detail about Django form field types, the next section on Django form field types goes into greater detail on just this topic.

Next, let's integrate the Django form in listing 6-1 to a Django view method so it can then be passed and rendered in a Django template. Listing 6-2 illustrates the initial iteration of this view method.

Listing 6-2. Django view method that uses a Django form

# in app named 'contact'
from django.shortcuts import render
from .forms import ContactForm

def contact(request):
    form = ContactForm()
    return render(request,'about/contact.html',{'form':form})

The view method in listing 6-2 first instantiates the ContactForm form class from listing 6-1 and assigns it to the form reference. This form reference is then passed as an argument to be made available inside the about/contact.html template.

Next, inside the Django template you can output a Django form as a regular variable. Listing 6-3 illustrates how the Django form is rendered if you use the standard template syntax {{form.as_table}}.

Listing 6-3. Django form instance rendered in template as HTML

	<th><label for="id_name">Name:</label></th>
	<td><input id="id_name" name="name" type="text" /></td>
	<th><label for="id_email">Your email:</label></th>
	<td><input id="id_email" required name="email" type="email" /></td>
	<th><label for="id_comment">Comment:</label></th>
	<td><textarea cols="40" id="id_comment" required name="comment" rows="10"></textarea></td>

In listing 6-3 you can see how the Django form is translated into HTML tags! Notice how the Django form produces the appropriate HTML <input> tags for each form field (e.g. forms.EmailField(label='Your email') creates the specified <label> and an HTML 5 type="email" to enforce client-side validation of an email). In addition, notice the name field lacks the HTML 5 required attribute due to the required=False statement used in the form field in listing 6-1.

If you look closely at listing 6-3, the HTML output for the Django form instance are just inner HTML table tags (i.e.<tr>,<th>,<td>). The output is missing an HTML <table> wrapper tag and supporting HTML form tags (i.e. <form> tag and action attribute to indicate where to send the form, as well as a submit button). This means you'll need to add the missing HTML form tags to the template to create a working web form -- a process that's described shortly in listing 6-4.

In addition, if you don't want to output the entire form fields surrounded by HTML table elements like listing 6-3, there are many other syntax variations to output form fields granularly and stripped of HTML tags. In this case, the {{form.as_table}} reference in the template is used to simplify things, but the upcoming section 'Set up the layout for Django forms in templates' in this chapter elaborates on the different syntax variations to output Django forms in templates.

Next, let's take a look at figure 6-1 which shows a Django form's workflow to better illustrate how Django forms work from start to finish.

Figure 6-1 Django forms workflow

The first two steps of the workflow in Figure 6-1 is what I've described up to this point. It consists of a user hitting a url that's processed by a view method which returns an empty form based on the Django form class definition. Listing 6-3 shows the raw HTML output of the Django form, but as I already mentioned, the form is missing elements in order to become a functional web form, next I'll describe the elements you need to add to get a functional web form.

Functional web form syntax for Django forms

So far you've learned how a Django form class definition can quickly be turned into an HTML form. But this automatic HTML generation is only part of the benefit of using Django form class definitions, you can also validate form values and present errors to end users much more quickly.

To perform these last actions, it's first necessary to have a functional web form. Listing 6-4 illustrates the template syntax to create a functional web form from a Django form.

Listing 6-4. Django form template declaration for functional web form

<form method="POST">
  {% csrf_token %}

  <input type="submit" value="Submit form">

The first thing to notice about listing 6-4 is the form is wrapped around the HTML <form> tag which is standard for all web forms. The reason Django forces you to explicitly set the <form> tag is because its attributes dictate much of a web form's behavior and can vary depending on the purpose of the form.

In listing 6-4, the method attribute tells a web browser that when the form is submitted it POST the data to the server. The POST method value is standard practice in web forms that process user data -- an alternative method option value is GET, but it's not a typical choice for transferring user provided data. The use of the POST method should become clearer shortly, but for more background on form method attributes, you can consult many Internet references on HTTP request methods[1].

Another important <form> attribute -- which is actually missing in listing 6-4 -- is action which tells a web browser where to submit the form (i.e. what url is tasked with processing the form). In this case, because listing 6-4 has no action attribute, a browser's behavior is to POST the data to the same url where it's currently on, meaning if the browser got the form from the /contact/ url, it will POST the data to the same /contact/ url. If you wanted to POST the form to a separate url, then you would add the action attribute (e.g. action="/urltoprocessform/") to the <form> tag.

Keep in mind that because the same url delivers the initial form -- via a GET request -- and must also process the form data -- via a POST request -- the backing view method of the url must be designed to handle both cases. I'll describe a modified version of listing 6-2 -- which just handles the GET request case -- to also handle the POST case in the next section.

The {% csrf_token %} statement in listing 6-4 is a Django tag. {% csrf_token %} is a special tag reserved for cases when a web form is submitted via POST and processed by Django. The csrf initials mean Cross-Site Request Forgery, which is a default security mechanism enforced by Django. While it's possible to disable CSRF and not include the {% csrf_token %} Django tag in forms, I would advise against it and recommend you keep adding the {% csrf_token %} Django tag to all forms with POST, as CSRF works as a safeguard and mostly behind the scenes. The last sub-section in this first section describes the reasoning behind CSRF and how it works in Django in greater detail.

Next in listing 6-4 is the {{form.as_table}} snippet wrapped in an <table> tag which represents the Django form instance and outputs the HTML output illustrated in listing 6-3. Finally, there's the <input type="submit"> tag which generates the form's submit button -- that when clicked on by a user submits the form -- and the closing </form> tag.

Django view method to process form (POST handling)

Once you have a functional web form in Django, it's necessary to create a view method to process it. In the previous section, I mentioned how the same url and by extension view method, would both handle generating the blank HTML form, as well as process the HTML form with data. Listing 6-5 illustrates a modified version of the view method in listing 6-2 that does exactly this.

Listing 6-5. Django view method that sends and processes Django form

from django.shortcuts import render
from django.http import HttpResponseRedirect
from .forms import ContactForm

def contact(request):
    if request.method == 'POST':
        # POST, generate form with data from the request
        form = ContactForm(request.POST)
        # check if it's valid:
        if form.is_valid():
            # process data, insert into DB, generate email,etc
            # redirect to a new url:
            return HttpResponseRedirect('/about/contact/thankyou')
        # GET, generate blank form
        form = ContactForm()
    return render(request,'about/contact.html',{'form':form})

The most important construct in the view method of listing 6-5 is the if/else condition that checks the request method type. If the request method type is POST (i.e. data submission or step 3 in figure 6-1) the form's data is processed, but if the request method type is anything else (i.e. initial request or step 1 in figure 6-1) an empty form is generated to produce the same behavior as listing 6-2. Notice the last line in listing 6-5 is a return statement that assigns the form instance -- whether empty(a.k.a. unbound) or populated (a.k.a. bound) -- and returns it to a template for rendering.

Now let's take a closer look at the POST logic in listing 6-5. If the request method type is POST it means there's incoming user data, so we access the incoming data with the request.POST reference and initialize the Django form with it. But notice how there's no need to access individual form fields or make piecemeal assignments -- although you could if you wanted to and this process is described in a later section in this chapter -- using request.POST as the argument of a Django form class is sufficient to populate a Django form instance with user data, it's that simple! It's worth mentioning that a Django form instance created in this manner (i.e. with user provided data) is known as a bound form instance.

At this point, we still don't know if a user provided valid data with respect to a Django form's field definitions (e.g. if values are text or a valid email). To validate a form's data, you must use the is_valid() helper method on the bound form instance. If form.is_valid() is True the data is processed and subsequent action is taken, in listing 6-5 this additional action consists of redirecting control to the /about/contact/thankyou url. If form.is_valid() is False it means the form data has errors, after which point control falls to the last return statement which now passes a bound form instance to render the template. By using a bound form instance in this last case, the user gets a rendered form filled with his initial data submission and errors so he's able to correct the data without reintroducing values from scratch.

I purposely didn't mention any more details about the is_valid() helper method or error message displays, because Django form processing can get a little complex. The subsequent section 'Django form processing: Initialization, field access, validation and error handling' covers all you need to know about Django form processing so it doesn't interfere in this introductory section.

CSRF: What is it and how does it work with Django ?

CSRF or Cross-Site Request Forgery is a technique used by cyber-criminals to force users into executing unwanted actions on a web application. When users interact with web forms, they make all kinds of state-changing tasks that range from making orders (e.g. products, money transfers) to changing their data (e.g. name, email, address). Most users tend to feel a heightened sense of security when they interact with web forms because they see an HTTPS/SSL security symbol or they've used a username/password prior to interacting with a web form, all of which leads to a feeling there's no way a cyber-criminal could eavesdrop, guess or interfere with their actions.

A CSRF attack relies for the most part on social engineering and lax application security on a web application, so the attack vector is open irrespective of other security measures (e.g. HTTPS/SSL, strong password). Figure 6-2 illustrates a CSRF vulnerable scenario on a web application.

Figure 6-2. Web application with no CSRF protection

After user "X" interacts with web application "A" (e.g. making an order, updating his email) he simply navigates away and goes to other sites. Like most web applications, web application "A" maintains valid user sessions for hours or days, in case users come back and decide to do other things without having to sign-in again. Meanwhile, a cyber-criminal has also used site "A" and knows exactly where and how all of its web forms work (e.g. urls, input parameters such as email, credit card).

Next, a cyber-criminal creates links or pages that mimic the submission of web forms on web application "A". For example, this could be a form that changes a user's email in order to overtake an account or transfers money from a user's account to steal funds. The cyber-criminal then seeds the Internet with these links or pages through email, social media or other web sites with enticing or frightening headlines: "Get a $100 coupon from site 'A'", "Urgent: Change your password on site 'A' because of a security risk'. In reality, these links or pages don't do what they advertise, but instead in a single click mimic web form submissions from site "A" (e.g. change a user's email or transfer funds).

Now lets turn our attention to unsuspecting user "X" that visited site "A" hours or days earlier. He catches a glimpse of these last advertisements and thinks "Wow, I can't pass this up". Thinking what harm can a click do, he clicks on the bogus advertisement, the user is then sent to a legitimate site 'A' page as a façade or the click 'appears' to have done nothing. User "X" thinks nothing of it and goes back to some other task. If site 'A' did not have web forms with CSRF protection, then user "X" just inadvertently -- in a single click -- performed an action on site "A" he wasn't aware of.

As you can see, in order to perform a CSRF attack all that's needed is for a user to have an active session on a given site and a cyber-criminal crafty enough to trick a user into clicking on a link or page that performs actions on said site. Hence the term's name: "Cross-Site", because the request doesn't come from the original site, and "Request Forgery" because it's a forged request by a cyber-criminal.

To protect against web form CSRF attacks, it's isn't sufficient for web applications to trust authenticated users, because as I've just described authenticated users could have inadvertently triggered actions they weren't aware of. Web forms must be equipped with a unique identifier -- often called a CSRF token -- that's unique to a user and has an expiration time, similar to a session identifier. In this manner, if a request is made by an authenticated user to a site, only requests that match his CSRF token are considered valid and all other requests are discarded, as illustrated figure 6-3.

Figure 6-3. Web application with CSRF protection

As you can see in figure 6-3, the inclusion of a CSRF token in a web form makes it very difficult to forge a user's request.

In Django, a CSRF token is generated in web forms with the {% csrf token %} tag that generates an HTML tag in the form <input type="hidden" name="csrfmiddlewaretoken" value="32_character_string">, where the 32-character string value varies by user. In this manner, if a Django application makes a POST request -- like those made by web forms -- it will only accept the request if the CSRF token is present and valid for a given user, otherwise it will generate a '403 Forbidden' page error.

Be aware CSRF is enabled by default on all Django applications thanks to its out-of-the-box middleware settings that includes the django.middleware.csrf.CsrfViewMiddleware class charged with enforcing CSRF functionality. If you wish to disable the CSRF support in a Django application completely, you can just remove the django.middleware.csrf.CsrfViewMiddleware class from the MIDDLEWARE variable in

If you wish to enable or disable CSRF on certain web forms, you can selectively use the @csrf_exempt() and @csrf_protect decorators on the view methods that process a web form's POST request.

To enable CSRF on all web forms and disable CSRF behavior on certain web forms, keep the django.middleware.csrf.CsrfViewMiddleware class in MIDDLEWARE and decorate the view methods you don't want CSRF validation on with the @csrf_exempt() decorator, as illustrated in listing 6-6.

Listing 6-6. Django view method decorated with @csrf_exempt() to bypass CSRF enforcement

from django.views.decorators.csrf import csrf_exempt

def contact(request):
    # Any POST processing inside view method
    # ignores if there is or isn't a CSRF token

To disable CSRF on all web forms and enable CSRF behavior on certain web forms, remove the django.middleware.csrf.CsrfViewMiddleware class from MIDDLEWARE and decorate the view methods you want CSRF validation on with the @csrf_protect() decorator, as illustrated in listing 6-7.

Listing 6.7- Django view method decorated with @csrf_protect() to enforce CSRF when CSRF is disabled at the project level

from django.views.decorators.csrf import csrf_protect

def contact(request):
    # Any POST processing inside view method
    # checks for the presence of a CSRF token
    # even when CsrfViewMiddleware is removed