08-Django template (2)

Others 2019-10-13 16:07:04 views: null

A, HTML escape

  In view transmitted by calling the following template, template transfer context string is output, the following will automatically escape character. HTML escaped effect: after the escape markup code will not be interpreted directly, but is presented directly to prevent the client site by embedding js code attacks.

Less than <converted to & lt; 

greater than the number > is converted to & gt; 

single quote ' convert & # 39; 

double quotes " is converted to & quot; 

symbol & converted to & amp;

HTML escaped Demo:

Matching URL:

path ( ' zhuanyi / ' , views.zhuanyi),

view:

DEF zhuanyi (Request): 
    Content = { " text " : " <h1 of> a title </ h1 of> " }
     # call incoming HTML template string 
    return the render (Request, " Book / zhuanyi.html " , Content)

template:

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>转义演示</title>
</head>
<body>
<p>{{ text }}</p>
</body>
</html>

result:

 

 We do not have to be executed in the browser view incoming HTML tags, it is to prevent js attack. It had escaped when the template rendering, so the browser does not recognize it to be exclusive label.

HTML escape ban

{{Variable | escape}}

Filters can be achieved escape HTML escaped variables, the default template will escape, usually omitted.

{{Variable | safe}}

Filters safe: Disable escaped, told template for this variable is safe and can be interpreted.

{% autoescape off %}
.......
{% endautoescape %}

Tags autoescape: to set an escape code is disabled, the reception on, off parameters (on: enable escape, off: Escape disabled)

Code shows:

<! DOCTYPE HTML> 
<HTML lang = " EN " > 
<head> 
    <Meta charset = " UTF-8 " > 
    <title> ban Escape demo </ title> 
</ head> 
<body> 
{ # default will be HTML escape} # 
<P style = " background: Red " > {{text}} </ P> 
<P> {{text |}} Safe </ P> 
</ body> 
</ HTML>

 

 Other information Remarks:

  1, for hard-coded in the template  < > ' " & will not be escaped

  2, hard-coded in the template if you want to escape the effect occurs, you need to manually encode escape

Two, CSRF

  CSRF spelling to Cross Site Request Forgery, translated to cross-site request forgery. CSRF attacker stole your identity to send malicious request on your behalf. Including: sending mail in your name, message, steal your account, or even the purchase of goods, virtual currency transfers ............. problem is caused, disclosure of personal privacy and property safety.

  CSRF Attacks

When the Client Access server, the server does not do validation. Therefore, there will be fake user access.

  Prevent CSRF attacks

Django is enabled by default CSRF security authentication:

MIDDLEWARE = [
    'django.middleware.security.SecurityMiddleware',
    'django.contrib.sessions.middleware.SessionMiddleware',
    'django.middleware.common.CommonMiddleware',
    #默认开启CSRF验证
    'django.middleware.csrf.CsrfViewMiddleware',
    'django.contrib.auth.middleware.AuthenticationMiddleware',
    'django.contrib.messages.middleware.MessageMiddleware',
    'django.middleware.clickjacking.XFrameOptionsMiddleware',
]

Now that you submit data (manually or directly submit their own set of keys) in template form with form, submit the data will return a page is Forbidden (403). CSRF verification failed.Request aborted. And other information, so we need to add CSRF validate the syntax in the form form:

<form> 
{ # generated csrftoken secure authentication, can be used anywhere in the form #} 
{% csrf_token% }

 </ form>

If it is not in the form, you need to make up their own key-value pairs submitted for post. Forms are automatically organized in the form pairs.

Summary CSRF protection mechanisms provided by Django:

1 Shi .Django first response to a request from a client, it will randomly generate a token on the server side, we put the token in a cookie. POST requests are then each time will bring the token, so as to avoid being CSRF attacks. 

2 In the cookie HTTP response returned inside, django will add a csrftoken field for you, whose value is an automatically generated token 

3 . When all of the POST form, must contain a csrfmiddlewaretoken field (only one template csrf_token in Riga label, django will automatically help us generate) 

4 . before handling POST requests, django will verify the values and forms submitted in the field of cookie csrfmiddlewaretoken this request in the field of csrftoken whether the same. 
If, as it indicates that this is a legitimate request, otherwise, the request may come from someone else's csrf attack, returns 403 Forbidden.

 

Third, the verification code

  In the user registration, login page, in order to prevent violence requests, you can add a verification code function, if the code is incorrect, you do not need to continue treatment, can reduce server, database pressure. There are many tutorials and code libraries, and other online methods.

  Server randomly generates a code string stored in the session, to allow customers to enter and then call the database to determine whether consistent view function.

Fourth, reverse analysis

  Sometimes our url is constantly changing, there is a way to change url, but I still want the page I want, then the redirect is to solve this matter.

  And a growing number of views, there will not want to match the previous view, need to change, but change is very troublesome. Therefore, the reverse analysis can solve these problems.

  Reverse analysis applications: Hyperlink template, view redirection

urls.py :( add a name)

   path('booklist/', views.bookList,name="index"),
 
   path('fan/', views.fan,),
#  views.py
def fan(request):
    return render(request,"Book/fan.html")

Template dynamically generated address:

<! DOCTYPE HTML> 
<HTML lang = " EN " > 
<head> 
    <Meta charset = " UTF-. 8 " > 
    <title> reverse resolution </ title> 
</ head> 
<body> 
{ # reverse lookup hyperlink , plus space in front of the keyword url} # 
<a href= "{% url" index "%}"> Go to the index page </a> 
</ body> 
</ HTML>

 

 Jump page is shown below

 

 Analytical Reverse - View (redirect)

# Reverse lookup 
DEF Fan (Request):
     return redirect (Reverse ( "index"))

 

  Analytical Reverse - fetch regularization parameters (position parameter)

  re_path("^fan1/(\d+)/(\d+)/$",views.index,name=fan1),
  # Reverse resolution: the parameter passing in the forward 
  DEF FAN1 (Request, V1, V2): 
      STR = ' % S -% S ' % (V1, V2)
       return the HttpResponse (STR)
{ # Is transmitted to the parameter n} # 
<a href= "{% URL'fan1' 188 5415 %}"> dynamic address and jump to the regular transmission parameters fan1 </a>

Keyword arguments

  re_path("^(?P<number1>\d+)/(?P<number2>\d+)/$",views.index),

 

Guess you like

Origin www.cnblogs.com/lishuntao/p/11665859.html
Recommended
Ranking
Linux关机和重启详解(shutdown、halt、poweroff、reboot、init)
Netty work notes 0007---NIO's three core component relationships
Knife4j tutorial
2021.10.29,内容:什么时候用接口和抽象类
How to solve the problem that changing the memory frequency causes the computer to become unusable?
SpringMVC Tutorial - Controller
linux learning skills -Linux 25 transport Vega paid special privileges and facl extension
Financial quarterly report evaluation report data automatic generation 1.0
Agile Development Series - The Values of Agile Development
scrapy achieve browsercookie Middleware
Daily
More
2024-05-19(0)
2024-05-18(31)
2024-05-17(6)
2024-05-16(23)
2024-05-15(5)
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)

Code World

© 2018 codetd.com