0627内容:
XSS攻击:
"""djangoxss URL Configuration The `urlpatterns` list routes URLs to views. For more information please see: https://docs.djangoproject.com/en/1.11/topics/http/urls/ Examples: Function views 1. Add an import: from my_app import views 2. Add a URL to urlpatterns: url(r‘^$‘, views.home, name=‘home‘) Class-based views 1. Add an import: from other_app.views import Home 2. Add a URL to urlpatterns: url(r‘^$‘, Home.as_view(), name=‘home‘) Including another URLconf 1. Import the include() function: from django.conf.urls import url, include 2. Add a URL to urlpatterns: url(r‘^blog/‘, include(‘blog.urls‘)) """ from django.conf.urls import url from django.contrib import admin from app01 import views urlpatterns = [ url(r‘^admin/‘, admin.site.urls), url(r‘^comment/‘, views.comment), #输入内容 url(r‘^index/‘, views.index), #查看内容 url(r‘^test/‘, views.test), #测试页 ]
urls.py
from django.shortcuts import render from django.utils.safestring import mark_safe # Create your views here. msg = [] def comment(request): if request.method == "GET": return render(request,‘comment.html‘) else: v = request.POST.get(‘content‘) if "script" in v: return render(request,‘comment.html‘,{‘error‘:‘小比崽子还黑我‘}) else: msg.append(v) return render(request,‘comment.html‘) def index(request): return render(request,‘index.html‘,{‘msg‘:msg}) def test(request): temp = "<a href=‘http://www.baidu.com‘>百度</a>" newtemp = mark_safe(temp) # return render(request,‘test.html‘,{‘temp‘:temp}) return render(request,‘test.html‘,{‘temp‘:newtemp})
views.py
template文件(html)
<!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <title></title> </head> <body> <form method="POST" action="/comment/"> <input type="text" name="content" /> <input type="submit" value="提交" />{{ error }} </form> </body> </html>
comment.html 提交内容
<!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <title></title> </head> <body> <h1>评论</h1> {% for item in msg %} <div>{{ item|safe }}</div> #加上safe代表标记提交的数据时安全的 {% endfor %} </body> </html>
index.html 查看comment提交的内容
<!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <title></title> </head> <body> {{ temp|safe }} </body> </html>
test.html 测试页
xss总结:
XSS注入攻击(跨站脚本攻击) for(var i=0,j=0;i<999,j<9999;i++,j++) { window.alert(""); } <html> <head>text</head> <body> <form> <input type="text" name="text"> </form> </body> </html> <script> alert(‘sb‘) </script> <script> 获取本地cookie,将cookie发送至www.xxx.com(黑客的网址,把本地的隐私cookie发送给黑客) </script> <h1>评论</h1> {% for item in msg %} <div>{{ item|safe }}</div> {% endfor %} 写上safe会出问题 safe是别人能随便添加或者随便写的,一定要对特殊字符做过滤 <script>alert(‘sb‘)</script> 会弹出一个框,如果是循环会撑爆浏览器
标记某个字符串或者标签是安全的:
两种方式:
1.前端页面的字符串{{ temp|safe}}加上 |safe
2.from django.utils.safestring import mark_safe
def test(request):
temp = "<a href=‘http://www.baidu.com‘>百度</a>"
newtemp = mark_safe(temp)
# return render(request,‘test.html‘,{‘temp‘:temp})
return render(request,‘test.html‘,{‘temp‘:newtemp})
xss攻击:
慎用safe和mark_safe
非要用,一定要在提交数据时过滤关键字
时间: 2024-11-05 19:02:59