xss跨站腳本攻擊 ,csrf跨站請求僞造
# views.py
msg = []
def comment(request):
if request.method == 'GET':
return render(request,'comment.html')
else:
v = request.POST.get('content')
msg.append(v)
return render(request, 'comment.html')
def show(request):
return render(request, 'index.html', {'msg': msg})
# comment.html
<body>
<h3>評論</h3>
<form action="" method="POST">
<input type="text" name="content">
<input type="submit" value="提交">
</form>
</body>
# index.html
<body>
<h3>展示評論</h3>
{% for item in msg %}
<div>{{ item|safe }}</div> # 加|safe
{% endfor %}
</body>
# 加|safe 是一種方法
# 還有一種方法,在後臺標記成安全的
# from django.utils.safestring import mark_safe
# temp = '<a href='http://taobao.com'>淘寶</a>'
# newtemp = mark_safe(temp)
# 然後 render 返回前段渲染 這樣 也會被識別成安全的
################ 措施
# views.py
# 對特殊字符進行過濾,對|safe和mark_safe使用要謹慎,如果要使用一定要進行過濾
msg = []
def comment(request):
if request.method == 'GET':
return render(request,'comment.html')
else:
v = request.POST.get('content')
if 'script' in v:
return render(request, 'comment.html',{'error':'還想黑我'})
else:
msg.append(v)
return render(request, 'comment.html')
def show(request):
return render(request, 'index.html', {'msg': msg})
# csrf 用戶訪問需要攜帶隨機字符串
# views.py
def index2(request):
if request.method == 'GET':
return render(request,'index.html')
else:
return HttpResponse('ok')
# index.html
<body>
<form action="" method="post">
{% csrf_token %} # 會自動生成input框冰隱藏,value值爲隨機字符串
<input type="text" name="user">
<input type="submit" value="提交">
</form>
</body>
# {% csrf_token %}
# <input type="hidden" name="csrfmiddlewaretoken" value="voopFnF1UhczvzVdMReXsZuvWiQmfqUhGqZa6yWMVxWNaaXr4hsJsfDic1lQkTLy">
# {{ csrf_token }}
# 如果寫成這樣 這是直接生成隨機字符串
# 不僅在 input 框裏生成了隨機字符串,在本地cookice 中也生成了隨機字符串
# 如果需要全站禁用csrf
# setting.py
MIDDLEWARE = [
.......
# 'django.middleware.csrf.CsrfViewMiddleware',
.......
]
# 局部禁用
# 單獨在某個函數加裝飾器
from django.views.decorators.csrf import csrf_exempt
@csrf_exempt
def index2(request):
if request.method == 'GET':
return render(request,'index2.html')
else:
return HttpResponse('ok')
# 局部使用
from django.views.decorators.csrf import csrf_exempt,csrf_protect
@csrf_protect
def index2(request):
if request.method == 'GET':
return render(request,'index2.html')
else:
return HttpResponse('ok')
]
# 不用Form表單提交用Ajax提交
<body>
<form action="" method="post">
{% csrf_token %}
<input id="user" type="text" name="user">
<a onclick="submitForm()">提交</a>
</form>
<script src="/static/jquery-3.2.1.js"></script>
<script>
function submitForm() {
var csrf = $('input[name="csrfmiddlewaretoken"]').val();
var user = $('#user').val();
$.ajax({
url: '/index2.html',
type: 'POST',
data:{"user":user,"csrfmiddlewaretoken":csrf},
success:function (arg) {
console.log(arg)
}
})
}
</script>
</body>
# Ajax 請求頭裏把字符串傳過去
<body>
<form action="" method="post">
{% csrf_token %}
{{ csrf_token }}
<input id="user" type="text" name="user">
<a onclick="submitForm()">提交</a>
</form>
<script src="/static/jquery-3.2.1.js"></script>
<script src="/static/jquery-cookie.js"></script>
<script>
function submitForm() {
var token = $.cookie('csrftoken');
var user = $('#user').val();
$.ajax({
url: '/index2.html',
type: 'POST',
headers:{'X-CSRFToken':token},
data:{"user":user},
success:function (arg) {
console.log(arg)
}
})
}
</script>
</body>