七日Python之路--第九天

    众所周知,代码这东西不是看出来的。程序这东西只哟一个标准。

    下面找点开源的东西看看,学习一下大婶们的犀利编码......

    推荐一下:

        虽然有点老了:http://www.iteye.com/topic/405150,还有就是GitHub上面搜索一下Django就能出来很多,当然还有OSChina。只是有个问题,就是Django版本不同,具体的内容可能会有些不同,但大概还是相同的。领略即可,然后书写自己的代码。

    首要的还是官方文档。



    看着还是有些难度的。偶然发现一个不错的Blog:http://www.dannysite.com/ 使用Django搭建

    源码:https://github.com/manyunkai/dannysite.com

    OK,本来就有意要创建一个Blog的,现在连例子也都有了....之前使用Java建过一个Blog,只是功能很少,现在有机会了。这周的任务就是继续学习Django 然后 再把 Blog 搭建起来.......吼吼!

                                                                                       --2014年07月29日19:14:04


(一)csrf 

    The CSRF middleware and template tag provides easy-to-use protection againstCross Site Request Forgeries.  This type of attack occurs when a malicious Web site contains a link, a form button or some javascript that is intended to perform some action on your Web site, using the credentials of a logged-in user who visits the malicious site in their browser.  A related type of attack, ‘login CSRF’, where an attacking site tricks a user’s browser into logging into a site with someone else’s credentials, is also covered.

  1. Add the middleware‘django.middleware.csrf.CsrfViewMiddleware‘ to your list of middleware classes, MIDDLEWARE_CLASSES.  (It should come before any view middleware that assume that CSRF attacks have been dealt with.)

    Alternatively, you can use the decoratorcsrf_protect() on particular views you want to protect (see below).

  2. In any template that uses a POST form, use the csrf_token tag inside the <form> element if the form is for an internal URL, e.g.:

    <form action="." method="post">{% csrf_token %}

    This should not be done for POST forms that target external URLs, since that would cause the CSRF token to be leaked, leading to a vulnerability.

  3. In the corresponding view functions, ensure that the‘django.core.context_processors.csrf‘ context processor is being used. Usually, this can be done in one of two ways:

    1. Use RequestContext, which always uses‘django.core.context_processors.csrf‘ (no matter what your TEMPLATE_CONTEXT_PROCESSORS setting).  If you are using generic views or contrib apps, you are covered already, since these apps use RequestContext throughout.

    2. Manually import and use the processor to generate the CSRF token and add it to the template context. e.g.:

      from django.core.context_processors import csrffrom django.shortcuts import render_to_responsedef my_view(request):
          c = {}
          c.update(csrf(request))
          # ... view code here
          return render_to_response("a_template.html", c)

      You may want to write your ownrender_to_response() wrapper that takes care of this step for you.

      The utility script extras/csrf_migration_helper.py (located in the Django distribution, but not installed) can help to automate the finding of code and templates that may need these steps. It contains full help on how to use it.

    至于AJAX,以后再说吧。下面将开始Django及Blog的编写。

                                                                                   -- 2014年07月29日21:02:21


七日Python之路--第九天,古老的榕树,5-wow.com

郑重声明:本站内容如果来自互联网及其他传播媒体,其版权均属原媒体及文章作者所有。转载目的在于传递更多信息及用于网络分享,并不代表本站赞同其观点和对其真实性负责,也不构成任何其他建议。