Auto-escaping: When HTML code is generated using a template, it is dangerous if the variable content is characters that affect HTML results. For example, the template content is as follows: Hello {name} when the value of name is: <script> alert ('hello') </script>
The rendered HTML result is: Hello <script> alert ('hello') </script>. The result of running the code above is that a javascript warning window is displayed in the browser. Similarly, if the value of name is <B> hanks, all the content after "Hello" in the result will be bold in the font, because the end mark is not written </B>. This attack method is called Cross Site Scripting (CSS or XSS). It is a security vulnerability attack for Site applications and a type of code injection. It allows malicious users to inject code into the webpage, and other users will be affected when they watch the webpage. This type of attacks usually contain HTML and user-side scripting languages. The above definition comes from Wiki: http://zh.wikipedia.org/wiki/%E8%B7%A8%E7%B6%B2%E7% AB %99%E6%8C%87%E4%BB%A4%E7%A2%BC is obviously, do not trust the user input data at any time, should use Defensive Programming, in order to avoid the above problem, you have two options: 1. using the filter function in the template, Django provides an escape filter that can be used to filter out all variables that you do not trust, but must be used after each variable, in this way, it is easy to miss the use of escape for a variable. 2. use the automatic escape Function of the Django template. In fact, Django is enabled by default to escape the content of each variable, especially the following five characters:
- <Converted to <;
- > Converted to & gt;
- 'Converted to & #39;
- "Converted to & quot;
- & Converted to & amp;
The semicolon above is also part of the escape. For example, webpage content: the source code of the page is as follows: You can see that only the content of the variable is used for escape, and the HTML code of the template itself is not escaped. How do I disable this function? Why? Sometimes you want to render the variable content into the original HTML code, so you don't want to be escaped. For example, if you want the template system to generate text content rather than HTML, it is like email information. Django provides three methods to disable automatic escape: variable level, template level, and site level. 1. at the variable level, use the safe filter to disable automatic escape for each variable. This will be escaped: {data} This will not be escaped: {data | safe}. The effect is as follows: the reason why the source code is not displayed on the webpage content page is an HTML syntax error. This is the end of the escape process... 2. the template level is controlled by the autoescape label in the template, and Auto-escaping is on by default can be nested. hello {name }}{% autoescape off %} This will not be auto-escaped: {data }}. nor this: {other_data }}{% autoescape on %} Auto-escaping applies again :{{ name }}{% endautoescape %}{% endautoescape %} at the same time, the Influence of autoescape labels is inherited and can be influenced from the parent template to the Child template. # Base.html {% autoescape off %}
Publish by note
