Previously Flask-WTF stripped away the csrf_token field value when accessing the form data. But in 42befd0 this was removed.

Is this intentional? Now a form will expose the token as part of the data, even though it's an implicit value not generally useful outside the form.

I realize it is WTForms that implements the general logic for supporting CSRF validation, so maybe this is viewed as the responsibility of WTForms in the same way that form.populate_obj explicitly avoids populating the CSRF field value on the object. Sadly WTForms has no such filtering when accessing form.data, and the filtering in Flask-WTF was useful as it was.

I'll raise an issue with WTForms if that's where you think this should be fixed.