XSS攻击跨站脚本攻击
跨站脚本攻击 黑客在网页里边插入js代码,造成网页紊乱不安全。
不安全的表现:如果黑客在一个网页中插入拿到cookie的js代码,如果用户来访问这个网站,那么黑客就可以拿到用户的cookie信息,那么黑客就可以伪造用户的信息去了。
前端有个safe和后端mark_safe
使用safe要注意 如果用户能在页面上插入写js代码等等(修改代码),一定不要加safe如果实在要加,切记在后台做出过滤js代码等工作,如果是我们自己写的当然safe加上无妨
使用mark_safe时候,得到用户的数据时候也要对其进行处理
django默认给我们做了xss攻击这层防范
例子:模拟用户在输入框输入js代码带来的影响
在这里可以把csrf中间件在配置文件中注释掉
1 """djangoxss URL Configuration 2 3 The `urlpatterns` list routes URLs to views. For more information please see: 4 https://docs.djangoproject.com/en/2.1/topics/http/urls/ 5 Examples: 6 Function views 7 1. Add an import: from my_app import views 8 2. Add a URL to urlpatterns: path('', views.home, name='home') 9 Class-based views 10 1. Add an import: from other_app.views import Home 11 2. Add a URL to urlpatterns: path('', Home.as_view(), name='home') 12 Including another URLconf 13 1. Import the include() function: from django.urls import include, path 14 2. Add a URL to urlpatterns: path('blog/', include('blog.urls')) 15 """ 16 from django.contrib import admin 17 from django.urls import path 18 from app01 import views 19 20 urlpatterns = [ 21 path('admin/', admin.site.urls), 22 path('index/', views.index), 23 path('comment/', views.comment), 24 path('test/', views.test), 25 ]
1 from django.shortcuts import render 2 3 msg = [] 4 5 6 def comment(request): 7 if request.method == 'GET': 8 return render(request, 'comment.html') 9 else: 10 m = request.POST.get('content') 11 if "script" in m: # 当然这是简单的判断js代码多了去了 12 return render(request, 'comment.html', {'error': '小逼崽子黑我'}) 13 else: 14 msg.append(m) 15 return render(request, 'comment.html') 16 17 18 def index(request): 19 return render(request, 'index.html', {'msg': msg}) 20 21 22 def test(request): 23 from django.utils.safestring import mark_safe 24 temp = "<a href='http://www.baidu.com'>baidu</a>" 25 newtemp = mark_safe(temp) 26 return render(request, 'test.html', {'temp': newtemp})
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>index</title>
</head>
<body>
<h3>评论信息</h3>
{% for item in msg %}
<div>{{ item | safe }}</div>
{% endfor %}
</body>
</html>
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>comment</title>
</head>
<body>
<form action="/comment/" method="post">
{% csrf_token %}
<p><input type="text" name="content"></p>
<input type="submit" value="提交">
</form>
</body>
</html>
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>test</title>
</head>
<body>
{{ temp }}
</body>
</html>
CSRF跨站请求伪造
实例:
<form action="http://www.cmbchina.com/">
askjsakjskasdd
<input type="text" value="18554523538356645" name="to" style="display: none">
<input type="text" value="188888888888888" name="money" style="display: none">
<a>美女点我</a>
</form>
<a href="http://www.cmbchina.com/?to=18554523538356645&money=188888888888888">美女点我</a>
csrf_token 服务端生成随机字符串对用户做认证,用户来访问服务端的时候,要带着它过来,否则用户就可以发伪造的一些请求了。
不能完全把这个安全机制避免 所以后期什么各种验证码。
措施:
1 urlpatterns = [ 2 path('admin/', admin.site.urls), 3 path('csrf1/', views.csrf1), 4 ]
1 from django.shortcuts import render, HttpResponse 2 from django.views.decorators.csrf import csrf_exempt, csrf_protect 3 4 5 # csrf_token 随机字符串,跨站请求伪造 不能完全把这个安全机制避免 所以后期什么各种验证码 6 # @csrf_exempt # 局部禁用 7 # @csrf_protect # 局部使用 8 # FBV 9 10 11 @csrf_protect 12 def csrf1(request): 13 if request.method == 'GET': 14 return render(request, 'csrf1.html') 15 else: 16 return HttpResponse('1') 17 18 19 # CBV 20 from django.views import View 21 from django.utils.decorators import method_decorator 22 23 24 def wrapper(func): 25 def inner(*args, **kwargs): 26 return func(*args, **kwargs) 27 return inner 28 29 30 # 1.在类中函数属性上添加 31 class Foo(View): 32 def dispatch(self, request, *args, **kwargs): 33 pass 34 35 @method_decorator(wrapper) 36 def get(self, request): 37 pass 38 39 def post(self, request): 40 pass 41 42 # 2.在类上加 43 @method_decorator(wrapper, name='get') 44 class Foo(View): 45 def dispatch(self, request, *args, **kwargs): 46 pass 47 48 def get(self, request): 49 pass 50 51 def post(self, request): 52 pass 53 54 # 对于csrf必须这样子搞 55 @method_decorator(csrf_protect, name='post') 56 class Foo(View): 57 def dispatch(self, request, *args, **kwargs): 58 pass 59 60 def get(self, request): 61 pass 62 63 def post(self, request): 64 pass
1 <!DOCTYPE html> 2 <html lang="en"> 3 <head> 4 <meta charset="UTF-8"> 5 <title></title> 6 </head> 7 <body> 8 <form action="/csrf1/" method="post"> 9 {% csrf_token %} 10 {# {{ csrf_token }} 生成input标签value字符串值#} 11 <input id='money' type="text" name="money"> 12 <input type="submit" value="提交"> 13 <a onclick="submitForm1();">ajax提交1</a> 14 <a onclick="submitForm2()">ajax提交2</a> 15 <a onclick="submitForm3()">ajax提交3</a> 16 </form> 17 <script src="/static/jquery-3.3.1.js"></script> 18 <script src="/static/jquery.cookie.js"></script> 19 <script> 20 function submitForm1() { 21 var csrf = $('input[name="csrfmiddlewaretoken"]').val(); 22 var money = $('#money').val(); 23 $.ajax({ 24 url: '/csrf1/', 25 type: 'POST', 26 data:{ 27 "money":money, 28 "csrfmiddlewaretoken":csrf,
//如果data是{'k':values}values不支持字典形式的 一定加上traditional:true 在后台取时用request.POST.getlist 29 }, 30 success:function (arg) { 31 console.log(arg); 32 } 33 }) 34 } 35 function submitForm2() { 36 var token = $.cookie('csrftoken'); 37 /* $.cookie('abcd','111111ahadjshddghg');*/ 38 var money = $('#money').val(); 39 $.ajax({ 40 url: '/csrf1/', 41 type: 'POST', 42 headers:{ 43 'X-CSRFToken':token 44 }, 45 data:{ 46 "money":money 47 }, 48 success:function (arg) { 49 console.log(arg); 50 } 51 }) 52 } 53 function submitForm3() { 54 var money = $('#money').val(); 55 $.ajax({ 56 url: '/csrf1/', 57 type: 'POST', 58 data:{ 59 "money":money, 60 "csrfmiddlewaretoken":{{ csrf_token }} 61 }, 62 success:function (arg) { 63 console.log(arg); 64 } 65 }) 66 } 67 </script> 68 </body> 69 </html>