xss跨站腳本攻擊、csrf跨站請求僞造

xss跨站腳本攻擊 ，csrf跨站請求僞造

• xss攻擊 跨站腳本攻擊

# views.py

msg = []
def comment(request):
    if request.method == 'GET':
        return render(request,'comment.html')
    else:
        v = request.POST.get('content')
        msg.append(v)
        return render(request, 'comment.html')
def show(request):
    return render(request, 'index.html', {'msg': msg})

# comment.html

<body>
<h3>評論</h3>
<form action="" method="POST">
    <input type="text" name="content">
    <input type="submit" value="提交">
</form>
</body>


# index.html

<body>
<h3>展示評論</h3>
{% for item in msg %}
    <div>{{ item|safe }}</div>   # 加|safe
{% endfor %}
</body>
# 加|safe 是一種方法
# 還有一種方法，在後臺標記成安全的
# from django.utils.safestring import mark_safe
# temp = '<a href='http://taobao.com'>淘寶</a>'
# newtemp = mark_safe(temp)
# 然後 render 返回前段渲染 這樣 也會被識別成安全的



################ 措施
# views.py
# 對特殊字符進行過濾，對|safe和mark_safe使用要謹慎，如果要使用一定要進行過濾
msg = []
def comment(request):
    if request.method == 'GET':
        return render(request,'comment.html')
    else:
        v = request.POST.get('content')
        if 'script' in v:
            return render(request, 'comment.html',{'error':'還想黑我'})
        else:
            msg.append(v)
            return render(request, 'comment.html')
def show(request):
    return render(request, 'index.html', {'msg': msg})

---

• csrf 跨站請求僞造

# csrf 用戶訪問需要攜帶隨機字符串
# views.py
def index2(request):
    if request.method == 'GET':
        return render(request,'index.html')
    else:
        return HttpResponse('ok')

# index.html
<body>
<form action="" method="post">
    {% csrf_token %}  # 會自動生成input框冰隱藏，value值爲隨機字符串
    <input type="text" name="user">
    <input type="submit" value="提交">
</form>
</body>


# {% csrf_token %}
# <input type="hidden" name="csrfmiddlewaretoken" value="voopFnF1UhczvzVdMReXsZuvWiQmfqUhGqZa6yWMVxWNaaXr4hsJsfDic1lQkTLy">

# {{ csrf_token }}
# 如果寫成這樣 這是直接生成隨機字符串

# 不僅在 input 框裏生成了隨機字符串，在本地cookice 中也生成了隨機字符串


# 如果需要全站禁用csrf 
# setting.py
MIDDLEWARE = [
    .......
    # 'django.middleware.csrf.CsrfViewMiddleware',
    .......
]

# 局部禁用

# 單獨在某個函數加裝飾器
from django.views.decorators.csrf import csrf_exempt
@csrf_exempt
def index2(request):

    if request.method == 'GET':
        return render(request,'index2.html')
    else:
        return HttpResponse('ok')

# 局部使用

from django.views.decorators.csrf import csrf_exempt,csrf_protect
@csrf_protect
def index2(request):

    if request.method == 'GET':
        return render(request,'index2.html')
    else:
        return HttpResponse('ok')


]




# 不用Form表單提交用Ajax提交

<body>
<form action="" method="post">
    {% csrf_token %}
    <input id="user" type="text" name="user">
    <a onclick="submitForm()">提交</a>
</form>
<script src="/static/jquery-3.2.1.js"></script>
<script>
    function submitForm() {
        var csrf = $('input[name="csrfmiddlewaretoken"]').val();
        var user = $('#user').val();
        $.ajax({
            url: '/index2.html',
            type: 'POST',
            data:{"user":user,"csrfmiddlewaretoken":csrf},
            success:function (arg) {
                console.log(arg)
            }
        })
    }
</script>
</body>



# Ajax 請求頭裏把字符串傳過去

<body>

<form action="" method="post">
    {% csrf_token %}
    {{ csrf_token }}
    <input id="user" type="text" name="user">
{#    <input type="submit" value="提交">#}
    <a onclick="submitForm()">提交</a>
</form>

<script src="/static/jquery-3.2.1.js"></script>
<script src="/static/jquery-cookie.js"></script>
<script>
    function submitForm() {
        var token = $.cookie('csrftoken');
        var user = $('#user').val();
        $.ajax({
            url: '/index2.html',
            type: 'POST',
            headers:{'X-CSRFToken':token},
            data:{"user":user},
            success:function (arg) {
                console.log(arg)
            }

        })

    }
</script>
</body>

---