xss跨站脚本攻击 ,csrf跨站请求伪造
# views.py
msg = []
def comment(request):
if request.method == 'GET':
return render(request,'comment.html')
else:
v = request.POST.get('content')
msg.append(v)
return render(request, 'comment.html')
def show(request):
return render(request, 'index.html', {'msg': msg})
# comment.html
<body>
<h3>评论</h3>
<form action="" method="POST">
<input type="text" name="content">
<input type="submit" value="提交">
</form>
</body>
# index.html
<body>
<h3>展示评论</h3>
{% for item in msg %}
<div>{{ item|safe }}</div> # 加|safe
{% endfor %}
</body>
# 加|safe 是一种方法
# 还有一种方法,在后台标记成安全的
# from django.utils.safestring import mark_safe
# temp = '<a href='http://taobao.com'>淘宝</a>'
# newtemp = mark_safe(temp)
# 然后 render 返回前段渲染 这样 也会被识别成安全的
################ 措施
# views.py
# 对特殊字符进行过滤,对|safe和mark_safe使用要谨慎,如果要使用一定要进行过滤
msg = []
def comment(request):
if request.method == 'GET':
return render(request,'comment.html')
else:
v = request.POST.get('content')
if 'script' in v:
return render(request, 'comment.html',{'error':'还想黑我'})
else:
msg.append(v)
return render(request, 'comment.html')
def show(request):
return render(request, 'index.html', {'msg': msg})
# csrf 用户访问需要携带随机字符串
# views.py
def index2(request):
if request.method == 'GET':
return render(request,'index.html')
else:
return HttpResponse('ok')
# index.html
<body>
<form action="" method="post">
{% csrf_token %} # 会自动生成input框冰隐藏,value值为随机字符串
<input type="text" name="user">
<input type="submit" value="提交">
</form>
</body>
# {% csrf_token %}
# <input type="hidden" name="csrfmiddlewaretoken" value="voopFnF1UhczvzVdMReXsZuvWiQmfqUhGqZa6yWMVxWNaaXr4hsJsfDic1lQkTLy">
# {{ csrf_token }}
# 如果写成这样 这是直接生成随机字符串
# 不仅在 input 框里生成了随机字符串,在本地cookice 中也生成了随机字符串
# 如果需要全站禁用csrf
# setting.py
MIDDLEWARE = [
.......
# 'django.middleware.csrf.CsrfViewMiddleware',
.......
]
# 局部禁用
# 单独在某个函数加装饰器
from django.views.decorators.csrf import csrf_exempt
@csrf_exempt
def index2(request):
if request.method == 'GET':
return render(request,'index2.html')
else:
return HttpResponse('ok')
# 局部使用
from django.views.decorators.csrf import csrf_exempt,csrf_protect
@csrf_protect
def index2(request):
if request.method == 'GET':
return render(request,'index2.html')
else:
return HttpResponse('ok')
]
# 不用Form表单提交用Ajax提交
<body>
<form action="" method="post">
{% csrf_token %}
<input id="user" type="text" name="user">
<a onclick="submitForm()">提交</a>
</form>
<script src="/static/jquery-3.2.1.js"></script>
<script>
function submitForm() {
var csrf = $('input[name="csrfmiddlewaretoken"]').val();
var user = $('#user').val();
$.ajax({
url: '/index2.html',
type: 'POST',
data:{"user":user,"csrfmiddlewaretoken":csrf},
success:function (arg) {
console.log(arg)
}
})
}
</script>
</body>
# Ajax 请求头里把字符串传过去
<body>
<form action="" method="post">
{% csrf_token %}
{{ csrf_token }}
<input id="user" type="text" name="user">
<a onclick="submitForm()">提交</a>
</form>
<script src="/static/jquery-3.2.1.js"></script>
<script src="/static/jquery-cookie.js"></script>
<script>
function submitForm() {
var token = $.cookie('csrftoken');
var user = $('#user').val();
$.ajax({
url: '/index2.html',
type: 'POST',
headers:{'X-CSRFToken':token},
data:{"user":user},
success:function (arg) {
console.log(arg)
}
})
}
</script>
</body>