Of Stack

Method Analysis of django Framework to Prevent XSS Injection

  • 2021-06-29 11:27:18
  • OfStack

This article provides an example of how the django framework prevents XSS injection.Share it for your reference, as follows:

XSS is a common cross-site scripting attack, and this type of error is not easily noticed or ignored by developers. Of course, the django framework itself has this in mind, such as automatically opening escape in a template. In fact, when I revamped my personal blog yihaomen.duapp.com, I did not use a rich text editor in the comments box.Instead, let the user enter the content themselves, if a user enters something similar to this:

This is my comment. 


<script>alert('xss injection');</script>

And I use {{comment|safe}} in the template like this, because safe filter is used, a dialog box pops up directly here.This is XSS injection.This is not allowed in real projects, and the purpose of using safe is to better display the html tag, etc.So the solution is to escape when the content is received in the background, especially " < > "These symbols, as well as single and double quotation marks, initially I wrote some replacement methods myself.such as 


def checkxss(content):
  checked_content = content
  checked_content = re.sub(r"&", "&", checked_content,0,re.I)
  checked_content = re.sub(r"'", "´", checked_content,0,re.I)
  checked_content = re.sub(r'""', """, checked_content,0,re.I)
  checked_content = re.sub(r"<", "<", checked_content,0,re.I)
  checked_content = re.sub(r">", ">", checked_content,0,re.I)
  checked_content = re.sub(r"/", "/", checked_content,0,re.I)

Of course, you can process these in the background, save them to the database, and when you open them again, when you use the |safe filter on the template, it will restore to its original state. That's true.But the problem is that I've added to it.Because django has its own set of methods.These methods are available in django.utils.html package.I write a test with these. 


'''
Created on 2013-11-21
@author: yihaomen.com
'''
from django.utils.html import escape, strip_tags, remove_tags
html_content = """
  <html xmlns="http://www.w3.org/1999/xhtml">
  <head>
  <script>alert("test")</script>
  <title>yihaomen.com test</title>
  <link href="/static/css/style.css" rel="external nofollow" rel="stylesheet" type="text/css" />
  </head>
  <body>
   content
  </body>
  </html>
"""
def escape_html(html):
  return escape(html);
def stript_all_tags(html):
  return strip_tags(html)
def remove_part_tags(html,tags):
  return remove_tags(html, tags)
if __name__ == '__main__':
  print "====escape all tags======"
  print escape_html(html_content)
  print "====remove all tags======"
  print strip_tags(html_content)
  print "===remove part tags.====="
  print remove_part_tags(html_content,"script html body")

There are, of course, more ways to view django's code.From the above method, you can see that django can easily label all html tags of eacape, some escape html tags, and only retain the content.It's really convenient.

This shows that something inside django.utils.html is sufficient to handle xss injection.

I hope that the description in this paper will be helpful to everyone's Python program design based on the Django framework.

Related articles: