zoukankan      html  css  js  c++  java
  • XSS攻击

    XSS又叫CSS  (Cross Site Script) ,跨站脚本攻击。它指的是恶意攻击者往web页面里插入恶意的html代码,当用户浏览该页之时,嵌入其中web里面的html代码会被执行,从而达到恶意用户的特殊目的。

    ##############xss攻击#############
    
    
    ****************************************
    #不带if判断进行关键字过滤代码
    msg=[]
    def comment(request):
        if request.method =="GET":
            return render(request,'comment.html')
        else:
            v = request.POST.get('content')
            msg.append(v)
            return render(request,'comment.html')
    def index(request):
        return render(request,'index.html',{'msg':msg})
    *****************************************
    
    *****************************************
    #带if判断进行关键字过滤代码
    msg=[]
    def comment(request):
        if request.method =="GET":
            return render(request,'comment.html')
        else:
            v = request.POST.get('content')
            if "script" in v:
                return render(request,'comment.html',{'error':'黑你大爷'})
            else:
                msg.append(v)
                return render(request, 'comment.html')
    def index(request):
        return render(request,'index.html',{'msg':msg})
    *********************************************
    
    *********************************************
    #测试:
    
    def test(request):
        from django.utils.safestring import mark_safe
        temp = "<a href='http://www.baidu.com'>百度</a>"
        newtemp = mark_safe(temp)
        return render(request, 'test.html', {'temp': newtemp})
    
    ********************************************
    注:
    
    # 1.用<script>alert(11222)</script>模拟攻击代码
    # 2.过滤攻击方式:
                             a.在接受评论端(前端代码)不要写 |safe. 
                             比如:<div>{{ item|safe }}</div>
    
                             #b.在后台代码中进行if关键字过滤判断
    
    
      3.test.html:
                    # 里面如果不加|safe,渲染出来的只是普通字符“
                          <a  href='http://www.baidu.com'>百度</a># 如果加|safe,渲染出来的是<a>标签连接
                    #后端标记字符串安全:
                     (前端不加safe,后端加safe)
                    #导入模块 :from django.utils.safestring import mark_safe
                    #说明安全:ewtemp = mark_safe(temp)
    Views
    <!DOCTYPE html>
    <html lang="en">
    <head>
        <meta charset="UTF-8">
        <title>Title</title>
    </head>
    <body>
        <form method="POST" action="/comment/">
            <input type="text" name="content">
            <input type="submit" value="提交"/>{{ error }}
        </form>
    </body>
    </ht
    comment.html
    <!DOCTYPE html>
    <html lang="en">
    <head>
        <meta charset="UTF-8">
        <title>Title</title>
    </head>
    <body>
        <h3>评论</h3>
        {% for item in msg %}
    
            <div>{{ item }}</div>
    
    {#         <div>{{ item|safe }}</div>#}
    
        {% endfor %}
    </body>
    </ht
    index.html
    <!DOCTYPE html>
    <html lang="en">
    <head>
        <meta charset="UTF-8">
        <title>Title</title>
    </head>
    <body>
    {#    {{ temp|safe }}#}
            {{ temp }}
    </body>
    </htm
    test.html
    """day73 URL Configuration
    
    The `urlpatterns` list routes URLs to views. For more information please see:
        https://docs.djangoproject.com/en/1.10/topics/http/urls/
    Examples:
    Function views
        1. Add an import:  from my_app import views
        2. Add a URL to urlpatterns:  url(r'^$', views.home, name='home')
    Class-based views
        1. Add an import:  from other_app.views import Home
        2. Add a URL to urlpatterns:  url(r'^$', Home.as_view(), name='home')
    Including another URLconf
        1. Import the include() function: from django.conf.urls import url, include
        2. Add a URL to urlpatterns:  url(r'^blog/', include('blog.urls'))
    """
    from django.conf.urls import url
    from django.contrib import admin
    
    from app01 import views
    
    
    urlpatterns = [
        url(r'^admin/', admin.site.urls),
        url(r'^test/',views.test),
        url(r'^comment/',views.comment),
        url(r'^index/',views.index),
    
    ]
    urls
  • 相关阅读:
    生成二维码
    【C#】教你纯手工用C#实现SSH协议作为GIT服务端
    Git断点续传和离线增量更新的实现
    微信定位真的泄露了你的精确位置
    Helper Files
    正则表达式的一些应用
    Apache配置SSL实现HTTP转HTTPS及可能出现的问题(配置https启动不了的解决办法)
    Python3 采集APP数据及相关配置
    Laravel 5 中间件、路由群组、子域名路由、 权限控制的基本使用方法
    Python3使用cookielib模块
  • 原文地址:https://www.cnblogs.com/niejinmei/p/7091479.html
Copyright © 2011-2022 走看看