1. Cross-site scripting (XSS) concept
XSS is a web application often appear in the computer security vulnerability that allows malicious code into web user to provide to the other pages used by the user. Also the genus injection attack,
the injection is essentially the data entered into an executable program statements such as these codes include HTML code and client-side scripting.
2. xss attack: -----> web injection
xss XSS (Cross site script, referred to xss) is a kind of "HTML injection" because most of the time is scripting attacks across domains, so called "cross-domain scripting."
We often hear "injected" (Injection), such as SQL injection, then in the end "inject" What is? Injection is to input data into the program executable statement in nature. SQL injection is so,
XSS is also true, but XSS is usually injected malicious script code that script code can be used to obtain a valid user data, such as Cookie information.
PS: The data entered by the user is displayed in the form of security, it can only display strings on the page.
to mark safety data displayed django framework (but this operation is unsafe!):
- After the data is written on the safe to get on the template page ----> {{XXXX |. safe}}
- in the background import modules: from django.utils.safestring import mark_safe
the character string to be passed to the page do the security processing ----> s = mark_safe (s)
Implementation of XSS attack requires two conditions:
First, the page needs to inject malicious code into web;
Second, these malicious code can be executed successfully browser.
Solution:
1before, one approach is to submit the form or url parameter passing, the parameters needed to filter.
2, filter the string data retrieved from the database in the background, it is determined keywords.
3, set the security mechanism.
django framework: the internal mechanism blocked by default. It decides that the incoming string is unsafe, it will not render and display a string. If cheap hand written safe, that is dangerous,
if you want to use safe, it must do to render string filter in the background. So when developed, it must be used with caution in security mechanisms. Especially where users can submit and can render the content! ! !
comment.html :评论提交页面
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title></title>
</head>
<body>
<form method="POST" action="/comment/">
<h4>评论</h4>
<input type="text" name="content"/>
<input type="submit"/>"submit"= value{{ error }}
</form>
</body>
</html>
index.html 评论显示页面:
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title></title>
</head>
<body>
<h1>评论内容</h1>
{% for item in msg %}
<div>{{ item|safe }}</div>
{% endfor %}
</body>
</html>
views.py 后台处理
from django.shortcuts import render
msg = []
def comment(request):
if request.method == "GET":
return render(request,'comment.html')
else:
v = request.POST.get('content')
if "script" in v:
return render(request,'comment.html',{'error': '小比崽子还黑我'})
else:
msg.append(v)
return render(request,'comment.html')
def index(request):
return render(request,'index.html',{'msg':msg})
def test(request):
from django.utils.safestring import mark_safe
temp = "<a href='http://www.baidu.com'>百度</a>"
newtemp = mark_safe(temp)
return render(request,'test.html',{'temp':newtemp}