XSS攻击
XSS又叫CSS (Cross Site Script) ,跨站脚本攻击。它指的是恶意攻击者往web页面里插入恶意的html代码,当用户浏览该页之时,嵌入其中web里面的html代码会被执行,从而达到恶意用户的特殊目的。
##############xss攻击############# **************************************** #不带if判断进行关键字过滤代码 msg=[] def comment(request): if request.method =="GET": return render(request,'comment.html') else: v = request.POST.get('content') msg.append(v) return render(request,'comment.html') def index(request): return render(request,'index.html',{'msg':msg}) ***************************************** ***************************************** #带if判断进行关键字过滤代码 msg=[] def comment(request): if request.method =="GET": return render(request,'comment.html') else: v = request.POST.get('content') if "script" in v: return render(request,'comment.html',{'error':'黑你大爷'}) else: msg.append(v) return render(request, 'comment.html') def index(request): return render(request,'index.html',{'msg':msg}) ********************************************* ********************************************* #测试: def test(request): from django.utils.safestring import mark_safe temp = "<a href='http://www.baidu.com'>百度</a>" newtemp = mark_safe(temp) return render(request, 'test.html', {'temp': newtemp}) ******************************************** 注: # 1.用<script>alert(11222)</script>模拟攻击代码 # 2.过滤攻击方式: a.在接受评论端(前端代码)不要写 |safe. 比如:<div>{{ item|safe }}</div> #b.在后台代码中进行if关键字过滤判断 3.test.html: # 里面如果不加|safe,渲染出来的只是普通字符“ <a href='http://www.baidu.com'>百度</a>” # 如果加|safe,渲染出来的是<a>标签连接 #后端标记字符串安全: (前端不加safe,后端加safe) #导入模块 :from django.utils.safestring import mark_safe #说明安全:ewtemp = mark_safe(temp)
<!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <title>Title</title> </head> <body> <form method="POST" action="/comment/"> <input type="text" name="content"> <input type="submit" value="提交"/>{{ error }} </form> </body> </ht
<!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <title>Title</title> </head> <body> <h3>评论</h3> {% for item in msg %} <div>{{ item }}</div> {# <div>{{ item|safe }}</div>#} {% endfor %} </body> </ht
<!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <title>Title</title> </head> <body> {# {{ temp|safe }}#} {{ temp }} </body> </htm
"""day73 URL Configuration The `urlpatterns` list routes URLs to views. For more information please see: https://docs.djangoproject.com/en/1.10/topics/http/urls/ Examples: Function views 1. Add an import: from my_app import views 2. Add a URL to urlpatterns: url(r'^$', views.home, name='home') Class-based views 1. Add an import: from other_app.views import Home 2. Add a URL to urlpatterns: url(r'^$', Home.as_view(), name='home') Including another URLconf 1. Import the include() function: from django.conf.urls import url, include 2. Add a URL to urlpatterns: url(r'^blog/', include('blog.urls')) """ from django.conf.urls import url from django.contrib import admin from app01 import views urlpatterns = [ url(r'^admin/', admin.site.urls), url(r'^test/',views.test), url(r'^comment/',views.comment), url(r'^index/',views.index), ]