# Flask
[Welcome to Flask — Flask Documentation (2.1.x)](https://flask.palletsprojects.com/en/2.1.x/)
[Download Flask Project Documentation](https://flask.palletsprojects.com/_/downloads/en/1.1.x/pdf/)

Flask is a mini-framework that allows you to create a web app (or website) using python.

## First Steps
* For those that are using pycharm you can skip the "Virtual Environment" step.

### Creating your Virtual Environment

First of all create the virtual environment of the project
https://github.com/gbr5/python_virtual_environment

In [None]:
pip install flask

# The command below shows us all the project dependencies
pip freeze

### Creating the main file of the project app.py

In [None]:
# app.py
from flask import Flask

# Create a Flask Instance
app = Flask(__name__)

# Create a route decorator
@app.route('/')
def index():
	return "<h1>Hello World!</h1>"

### Creating the environment variables:
informing that it is a development environment

In [None]:
export FLASK_ENV=development

Informing the server that our app sits on app.py

In [None]:
export FLASK_APP=app.py

Now our server will update itself every time we save a change in our project

To see the first page run the command below

In [None]:
flask run

And go to http://localhost:5000 or http://127.0.0.1:5000 or the url it generates on your terminal

### Using Variables from the url

In [None]:
from flask import Flask

# Create a Flask instance
app = Flask(__name__)


# Create a route decorator
@app.route('/user/<name>')
def index(name):
	return f"<h1>Hello {name}!</h1>"

### Using render_template

In [None]:
# Create a dir 'templates'
mkdir templates

# Create a file 'index.html'
touch templates/index.html

In [None]:
<!-- index.html -->
<h1>Hello World</h1>

In [None]:
# app.py
from flask import Flask, render_template

# Create a Flask Instance
app = Flask(__name__)


# Create a route decorator
@app.route('/')
def index():
	return render_template('index.html')

Save it and hit reload on your browser

## Jinja
 
[Jinja](https://jinja.palletsprojects.com/en/3.1.x/)
Jinja allows you to take advantage of templates feature, which is great for reusing code and to speed up the development process.

It also allows us to use ‘python’ code inside our html file, making it more dynamic.

In [None]:
touch templates/user.html

In [None]:
<!-- user.html -->
<h1>Hello {{ name }}</h1>

In [None]:
# app.py
from flask import Flask, render_template

# Create a Flask instance
app = Flask(__name__)

# Create a route decorator
@app.route('/')
def index():
	return render_template('index.html')

# Create a dynamic route decorator
# passing a variable through the render_template
@app.route('/user/<name>')
def index(name):
	return render_template('users.html', name=name)

### Filters

[Filters - Template Designer Documentation — Jinja Documentation (3.1.x)](https://jinja.palletsprojects.com/en/3.1.x/templates/#filters)

[List of Filters - Template Designer Documentation — Jinja Documentation (3.1.x)](https://jinja.palletsprojects.com/en/3.1.x/templates/#list-of-builtin-filters)

In [None]:
from flask import Flask, render_template

# Create a Flask Instance
app = Flask(__name__)


# Create a Route Decorator
@app.route('/')
def index():
  stuff = "Some stuff"
  return render_template('index.html', stuff=stuff)

#### Safe

Safe allows you to safely render html tags that were passed through a variable

Otherwise it would be render as plain text

In [None]:
<p>This is an html content {{ stuff|safe }}</p>

#### Capitalize

In [None]:
<p>This is a Capitalized string {{ stuff|capitalize }}</p>

#### Lower

In [None]:
<p>This is a lower case string {{ stuff|lower }}</p>

#### Upper

In [None]:
<p>This is a upper case string {{ stuff|upper }}</p>

#### Title

In [None]:
<!-- Title capitalizes every word on the string -->
<p>This is a title string {{ stuff|title }}</p>

### Trim

In [None]:
<!-- trim removes all white spaces from the string -->
<p>This is a trimmed string {{ stuff|trim }}</p>

#### Striptags

This is an important feature to prevent ill intended users to inject malicious code into the website, server, etc...

In [None]:
<!-- Striptags removes all html tags from the string, sanitizing it -->
<p>This is a tagless string {{ stuff|striptags }}</p>

#### Escape
....

In [None]:
<!-- Escape .... -->
<p>This is a .... string {{ stuff|escape }}</p>

### Python Logic Operators on HTML

One of the features of Jinja is allowing us to use python directly on html page, facilitating the manipulation on the DOM and variables

In [None]:
from flask import Flask, render_template

# Create a Flask instance
app = Flask(__name__)


# Create a Route Decorator
@app.route('/')
def index():
  pizza_toppings = ['Peperoni', 'Cheese', 'Marguerita']

  return render_template('index.html', pizza_toppings=pizza_toppings)

{% "Your logic goes here" %} => allows us to use logic operators inside html

{{ "Your variables comes here" }} => allows us to use variables inside html

In [None]:
...

<h1>HTML Page</h1>
<ol>
  {% for pizza_topping in pizza_toppings %}
    {% if pizza_topping is 'Peperonu' %}
      <li>Yay {{ pizza_topping }} pizza!</li>
    {% else %}
      <li>{{ pizza_topping }}</li>
    {% endif %}
    <!-- every time we use a logic operator such as loop for or if statements -->
    <!-- is important to close them like we did it right here -->
  {% endfor %}
</ol>
<br/>
<!-- We can also just print the list -->
{{ pizza_toppings }}
<br/>
<!-- Or we can choose one element of the list like we did it below -->
{{ pizza_toppings.0 }}

### Templates

Another feature of jinja is the ability to create templates to be able to reutilize code between pages of your applications.

In [None]:
touch templates/base.html

In [None]:
<h1>This is a template</h1>

{% block content %}

<!-- Content from other pages that uses this one as template will go here -->

{% endblock %}

## Error Pages

Error pages are important to comunicate to users what is happening.

Thus improving the user experience, and potencially helping them to navigate smoothly through our applications.

We use codes to differentiate between errors

### 404 - Page Not Found

404 error code means that the page the user is trying to reach does not exists.

In [None]:
touch templates/404.html

In [None]:
from flask import Flask, render_template

# Create a Flask instance
app = Flask(__name__)


# Create a Route Decorator
@app.route('/')
def index():
  return render_template('index.html')


@app.errorhandler(404)
def page_not_found(e):
  return render_template('404.html'), 404

### 500 - Internal Server Error

500 error code means that something happened to the server, and that prevented the correct communication.

In [None]:
# app.py
from flask import Flask, render_template

# Create a Flask instance
app = Flask(__name__)


# Create a Route Decorator
@app.route('/')
def index():
  return render_template('index.html')


@app.errorhandler(404)
def page_not_found(e):
  return render_template('404.html'), 404


@app.errorhandler(500)
def internal_server_error(e):
  return render_template('500.html'), 500

## What The Form | WTD-Flask

[Flask-WTF — Flask-WTF Documentation (1.0.x)](https://flask-wtf.readthedocs.io/en/1.0.x/)

WTF-Flask is a module that allows you to create forms taking advantage of its power and simplicity

### Let's create a form

The form we will create will have:
- name
- family name
- email
- password
- country
- genre
- subjects
- message
- honey pot field (honeypot is a field to prevent bots from spaming our form)

We will also take other measures in order to secure our form from ill intention hackers

In [None]:
pip install -U wtforms flask_wtf

### CSRF - Cross-site Request Forgery

[CSRF Protection — Flask-WTF Documentation (0.15.x)](https://flask-wtf.readthedocs.io/en/0.15.x/csrf/)

[Cross Site Requesr Forgery (CSRF) - Author: KirstenS](https://owasp.org/www-community/attacks/csrf)

Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker’s choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application.

### Multi Selection Checkbox Field

[Checkbox WTForms Example (in Flask) · GitHub](https://gist.github.com/doobeh/4668212)

### Honey Pot

Honey pot is a strategy that prevents bots from spaming our forms.

It consists of a field that is invisible for humans, but not for bots. 

So the bot will respond the field but not humans, then in our form validation function we will only submit forms that have that particular field empty.

It is important to know that nowadays bots are programmed to not respond to fields that have the hidden css attribute, or that are marked as a honeypot field, so be carefull to not include those things.

We will use the in-line css at the html file to make it invisible to the human eye.

You can see more about it in these links

[What is a honeypot? How honeypots help security](https://www.kaspersky.com/resource-center/threats/what-is-a-honeypot)

[How to create a simple honeypot to protect your web forms from spammers](https://dev.to/felipperegazio/how-to-create-a-simple-honeypot-to-protect-your-web-forms-from-spammers--25n8)

https://owasp.org/www-project-python-honeypot/migrated_content

In [None]:
import requests
from flask import Flask, render_template
from flask_wtf import FlaskForm
from wtforms import widgets, StringField, SubmitField, PasswordField, EmailField, SelectField, RadioField, TextAreaField, \
    SelectMultipleField
from wtforms.validators import DataRequired, Email, Length
from flask_wtf.csrf import CSRFProtect

# Create a Flask Instance
app = Flask(__name__)
csrf = CSRFProtect(app)
app.config['SECRET_KEY'] = "my_secret_key"

# Creating a list with all country names
countries_api = 'https://restcountries.com/v2/all'
countries_response = requests.get(countries_api).json()
countries = []
for elem in countries_response:
    countries.append(list(elem.items())[0][1])


# Creating a Field with multiple selection checkbox options
class MultiCheckboxField(SelectMultipleField):
    widget = widgets.ListWidget(prefix_label=False)
    option_widget = widgets.CheckboxInput()


# Create a Form Class
class MainForm(FlaskForm):
    # For the fields that require multiple choice we first create a list of options
    subject_choices = [("fix", "Réparation"), ("order", "Commande"), ("other", "Autres")]
    genres = ["M", "F", "X"]
    hpfield_choices = ["oui", "non"]

    name = StringField("Name", validators=[DataRequired()]) # 1
    family_name = StringField("Family name", validators=[DataRequired()]) # 2
    email = EmailField("E-mail?", validators=[DataRequired(), Email(message="Vous devez entrer un e-mail valide")]) # 3
    password = PasswordField("Password", validators=[DataRequired(), Length(min=8, message="Votre mot de passe doit avoir un minimum de 8 character")]) # 4
    country = SelectField("Country", validators=[DataRequired()], choices=countries) # 5
    genre = RadioField('Genre', validators=[DataRequired()], choices=genres) # 6
    subjects = MultiCheckboxField('Subject(s)', choices=subject_choices) # 7
    message = TextAreaField('Message', validators=[DataRequired()]) # 8
    hpfield = StringField("E-mail for subscription") # 9
    submit = SubmitField("Send")


# Create a Route Decorator
@app.route('/')
def index():
    return render_template('index.html')


# Invalid URL page
@app.errorhandler(404)
def page_not_found(e):
    return render_template('404.html'), 404


# Internal Server Error page
@app.errorhandler(500)
def internal_server_error(e):
    return render_template('500.html'), 500


# XSS Defense for name, family_name and message field

# In the name and family name users may only write alphabetic characters
# Doing that we can prevent ill intention users from injecting commands
# that could be dangerous and at the same time we clean their response
name_replacements = {
    '<': '',
    '>': '',
    '=': '',
    '"': '',
    '”': '',
    '`': '',
    "'": '',
    '%': '',
    '&': '',
    '!': '',
    '@': '',
    '#': '',
    '$': '',
    '(': '',
    ')': '',
    '{': '',
    '}': '',
    '[': '',
    ']': '',
    '|': '',
    '/': '',
    "\\": '',
    '?': '',
    '+': '',
    '-': '',
    '_': '',
    '*': '',
    '^': '',
    'ˆ': '',
    '˜': '',
    '~': '',
    '.': '',
    ',': '',
    ':': '',
    ';': '',
    '0': '',
    '1': '',
    '2': '',
    '3': '',
    '4': '',
    '5': '',
    '6': '',
    '7': '',
    '8': '',
    '9': ''
}
# In the message field we have to be more permissive, but we can restrain users
# from using some characters that could be dangerous
message_replacements = {
    '<': '&lt',
    '>': '&gt',
    '=': '&eq',
    '"': '&quot',
    '”': '&quot',
    "'": '&apos',
    '&': '&amp',
    # '%': '',
    # '!': '',
    # '@': '',
    # '#': '',
    # '$': ''
}

# Function sanitizes the users input taking the string the user inserted inside
# the form input and the dictionary list we build prior
def replace_all(input_str, dic):
    for i, j in dic.items():
        input_str = input_str.replace(i, j)
    return input_str


# Creating the form Form Page
@app.route('/main-form', methods=['GET', 'POST'])
def main_form():
    name = None
    family_name = None
    email = None
    password = None
    country = None
    genre = None
    subjects = None
    message = None
    hpfield = None
    form = MainForm()

    # Validate Form and check if honeypot was responded
    if form.validate_on_submit() and form.hpfield.data == '':
        name = replace_all(form.name.data, name_replacements),
        form.name.data = ''
        family_name = replace_all(form.family_name.data, name_replacements)
        form.family_name.data = ''
        email = form.email.data
        form.email.data = ''
        password = form.password.data
        form.password.data = ''
        country = form.country.data
        form.country.data = ''
        genre = form.genre.data
        form.genre.data = ''
        subjects = form.subjects.data
        form.subjects.data = ''
        message = replace_all(form.message.data, message_replacements)
        form.message.data = ''
        hpfield = form.hpfield.data

        return render_template('success.html',
                               name=name,
                               family_name=family_name,
                               email=email,
                               password=password,
                               country=country,
                               genre=genre,
                               subjects=subjects,
                               hpfield=hpfield,
                               message=message)

    return render_template('main_form.html',
                           name=name,
                           family_name=family_name,
                           email=email,
                           password=password,
                           country=country,
                           genre=genre,
                           subjects=subjects,
                           message=message,
                           hpfield=hpfield,
                           form=form)


if __name__ == '__main__':
    app.run(debug=True)


In [None]:
touch templates/form.html

In [None]:
{% extends 'base.html' %}


{% block content %}

    <div>
        <h1>Main Form</h1>
        <br/>
        <br/>
        <br/>

        <form method="POST">
            {{ form.hidden_tag() }}

            {{ form.name.label(class="form-label") }}
            {{ form.name(class="form-control") }}
            <br/>

            {{ form.family_name.label(class="form-label") }}
            {{ form.family_name(class="form-control") }}
            <br/>

            {{ form.email.label(class="form-label") }}
            {{ form.email(class="form-control") }}
            <br/>

            {{ form.password.label(class="form-label") }}
            {{ form.password(class="form-control") }}
            <br/>

            {{ form.country.label(class="form-label") }}
            {{ form.country(class="form-control") }}
            <br/>

            {{ form.genre.label(class="form-label") }}
            {{ form.genre() }}
            <br/>

            {{ form.subjects.label(class="form-label") }}
            {{ form.subjects() }}
            <br/>

            {{ form.message.label(class="form-label") }}
            {{ form.message(class="form-control") }}
            <br/>

            {{ form.hpfield.label(style="opacity:0;position:absolute;top:0;left:0;height:0;width:0;z-index:-1;") }}
            {{ form.hpfield(style="opacity:0;position:absolute;top:0;left:0;height:0;width:0;z-index:-1;") }}
            <br/>

            {{ form.submit(class="btn btn-primary") }}
        </form>
    </div>

{% endblock %}
