def __escape_data(self, path, query_dict, escape_type=None): """ GET/POST参数转义 """ data_copy = query_dict.copy() for _get_key, _get_value_list in data_copy.lists(): new_value_list = [] for _get_value in _get_value_list: new_value = _get_value # json串不进行转义 try: json.loads(_get_value) is_json = True except: is_json = False # 转义新数据 if not is_json: if escape_type is None: use_type = self.__filter_param(path, _get_key) else: use_type = escape_type if use_type == 'url': new_value = url_escape(_get_value) elif use_type == 'texteditor': new_value = texteditor_escape(_get_value) else: new_value = html_escape(_get_value) else: new_value = html_escape(_get_value, True) new_value_list.append(new_value) data_copy.setlist(_get_key, new_value_list) return data_copy
def __escape_data(self, path, query_dict, escape_type=None): """ GET/POST参数转义 """ data_copy = query_dict.copy() new_data = {} for _get_key, _get_value in data_copy.items(): # json串不进行转义 try: json.loads(_get_value) is_json = True except Exception, e: is_json = False # 转义新数据 if not is_json: if escape_type is None: use_type = self.__filter_param(path, _get_key) else: use_type = escape_type if use_type == 'url': new_data[_get_key] = url_escape(_get_value) elif use_type == 'texteditor': new_data[_get_key] = texteditor_escape(_get_value) else: new_data[_get_key] = html_escape(_get_value) else: new_data[_get_key] = html_escape(_get_value, True)
def __escape_data(self, path, query_dict, escape_type=None): """ GET/POST参数转义 """ data_copy = query_dict.copy() for _get_key, _get_value_list in data_copy.lists(): new_value_list = [] for _get_value in _get_value_list: new_value = _get_value # json串不进行转义 try: json.loads(_get_value) is_json = True except Exception, e: is_json = False # 转义新数据 if not is_json: try: if escape_type is None: use_type = self.__filter_param(path, _get_key) else: use_type = escape_type if use_type == 'url': new_value = url_escape(_get_value) elif use_type == 'script': new_value = check_script(_get_value, 1) elif use_type == 'name': new_value = html_escape_name(_get_value) elif _get_key in self.__escape_param_list: new_value = _get_value else: new_value = html_escape(_get_value, 1) except Exception, e: logger.error(u"CheckXssMiddleware GET/POST参数 转换失败!%s" % e) new_value = _get_value else: try: new_value = html_escape(_get_value, 1, True) except Exception, e: logger.error(u"CheckXssMiddleware GET/POST参数 转换失败!%s" % e) new_value = _get_value
def login_success(self, request): """ qq登录成功页面 """ uin = request.COOKIES.get('uin', '') skey = request.COOKIES.get('skey', '') # 将uin转成qq号 uin = self.transform_uin(uin) # 获取用户的 openid openid, openkey = self.get_openid_by_uin(request, uin, skey) if not self.verify_openid(request, openid, openkey): return render_mako_context(request, self._config.LOGIN_FAIL_TEMPLATE) # 原始请求是否为ajxa请求 is_ajax = request.GET.get('is_ajax', '1') refer_url = request.GET.get('refer_url', '') redirect = request.GET.get("redirect", None) # 对参数做校验 try: is_ajax = html_escape(is_ajax) # 回调url不存在或不在当前域名下则跳转到首页 if not refer_url or not is_url_in_domain(refer_url): refer_url = self._config.S_URL else: refer_url = url_escape(refer_url) except: is_ajax = 1 refer_url = self._config.S_URL if redirect: response = HttpResponseRedirect(refer_url) response.set_cookie('openid', openid, path=self._config.SITE_URL) response.set_cookie('openkey', openkey, path=self._config.SITE_URL) return response ctx = {'is_ajax': is_ajax, 'refer_url': refer_url} # 将用户头像和昵称放到session中 response = render_mako_context(request, self._config.LOGIN_SUCCESS_TEMPLATE, ctx) response.set_cookie('openid', openid, path=self._config.SITE_URL) response.set_cookie('openkey', openkey, path=self._config.SITE_URL) return response
def __escape_data(self, path, query_dict, escape_type=None): """ GET/POST参数转义 """ data_copy = query_dict.copy() new_data = {} for _get_key, _get_value in data_copy.items(): # json串不进行转义 try: to_json = json.loads(_get_value) is_json = True except Exception as e: is_json = False # 转义新数据 if not is_json: try: if escape_type == None: use_type = self.__filter_param(path, _get_key) else: use_type = escape_type if use_type == 'url': new_data[_get_key] = url_escape(_get_value) elif use_type == 'script': new_data[_get_key] = check_script(_get_value, 1) elif use_type == 'name': new_data[_get_key] = html_escape_name(_get_value) else: new_data[_get_key] = html_escape(_get_value, 1) except Exception as e: logger.error(u"CheckXssMiddleware GET/POST参数 转换失败!%s" % e) new_data[_get_key] = _get_value else: try: new_data[_get_key] = html_escape(_get_value, 1, True) except Exception as e: logger.error(u"CheckXssMiddleware GET/POST参数 转换失败!%s" % e) new_data[_get_key] = _get_value # update 数据 data_copy.update(new_data) return data_copy