XSS攻击

XSS又叫CSS  (Cross Site Script) ，跨站脚本攻击。它指的是恶意攻击者往web页面里插入恶意的html代码，当用户浏览该页之时，嵌入其中web里面的html代码会被执行，从而达到恶意用户的特殊目的。

##############xss攻击#############


****************************************
#不带if判断进行关键字过滤代码
msg=[]
def comment(request):
    if request.method =="GET":
        return render(request,'comment.html')
    else:
        v = request.POST.get('content')
        msg.append(v)
        return render(request,'comment.html')
def index(request):
    return render(request,'index.html',{'msg':msg})
*****************************************

*****************************************
#带if判断进行关键字过滤代码
msg=[]
def comment(request):
    if request.method =="GET":
        return render(request,'comment.html')
    else:
        v = request.POST.get('content')
        if "script" in v:
            return render(request,'comment.html',{'error':'黑你大爷'})
        else:
            msg.append(v)
            return render(request, 'comment.html')
def index(request):
    return render(request,'index.html',{'msg':msg})
*********************************************

*********************************************
#测试：

def test(request):
    from django.utils.safestring import mark_safe
    temp = "<a href='http://www.baidu.com'>百度</a>"
    newtemp = mark_safe(temp)
    return render(request, 'test.html', {'temp': newtemp})

********************************************
注：

# 1.用<script>alert(11222)</script>模拟攻击代码
# 2.过滤攻击方式：
                         a.在接受评论端（前端代码）不要写 |safe. 
                         比如：<div>{{ item|safe }}</div>

                         #b.在后台代码中进行if关键字过滤判断


  3.test.html：
                # 里面如果不加|safe,渲染出来的只是普通字符“
                      <a  href='http://www.baidu.com'>百度</a>”
                # 如果加|safe,渲染出来的是<a>标签连接
                #后端标记字符串安全：
                 （前端不加safe,后端加safe）
                #导入模块 ：from django.utils.safestring import mark_safe
                #说明安全：ewtemp = mark_safe(temp)

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>Title</title>
</head>
<body>
    <form method="POST" action="/comment/">
        <input type="text" name="content">
        <input type="submit" value="提交"/>{{ error }}
    </form>
</body>
</ht

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>Title</title>
</head>
<body>
    <h3>评论</h3>
    {% for item in msg %}

        <div>{{ item }}</div>

{#         <div>{{ item|safe }}</div>#}

    {% endfor %}
</body>
</ht

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>Title</title>
</head>
<body>
{#    {{ temp|safe }}#}
        {{ temp }}
</body>
</htm

"""day73 URL Configuration

The `urlpatterns` list routes URLs to views. For more information please see:
    https://docs.djangoproject.com/en/1.10/topics/http/urls/
Examples:
Function views
    1. Add an import:  from my_app import views
    2. Add a URL to urlpatterns:  url(r'^$', views.home, name='home')
Class-based views
    1. Add an import:  from other_app.views import Home
    2. Add a URL to urlpatterns:  url(r'^$', Home.as_view(), name='home')
Including another URLconf
    1. Import the include() function: from django.conf.urls import url, include
    2. Add a URL to urlpatterns:  url(r'^blog/', include('blog.urls'))
"""
from django.conf.urls import url
from django.contrib import admin

from app01 import views


urlpatterns = [
    url(r'^admin/', admin.site.urls),
    url(r'^test/',views.test),
    url(r'^comment/',views.comment),
    url(r'^index/',views.index),

]