def __escape_data(self, path, query_dict, escape_type=None): """ GET/POST参数转义 """ data_copy = query_dict.copy() new_data = {} for _get_key, _get_value in data_copy.items(): # json串不进行转义 try: json.loads(_get_value) is_json = True except Exception, e: is_json = False # 转义新数据 if not is_json: if escape_type is None: use_type = self.__filter_param(path, _get_key) else: use_type = escape_type if use_type == 'url': new_data[_get_key] = url_escape(_get_value) elif use_type == 'texteditor': new_data[_get_key] = texteditor_escape(_get_value) else: new_data[_get_key] = html_escape(_get_value) else: new_data[_get_key] = html_escape(_get_value, True)
def __escape_data(self, path, query_dict, escape_type=None): """ GET/POST参数转义 """ data_copy = query_dict.copy() for _get_key, _get_value_list in data_copy.lists(): new_value_list = [] for _get_value in _get_value_list: new_value = _get_value # json串不进行转义 try: json.loads(_get_value) is_json = True except: is_json = False # 转义新数据 if not is_json: if escape_type is None: use_type = self.__filter_param(path, _get_key) else: use_type = escape_type if use_type == 'url': new_value = url_escape(_get_value) elif use_type == 'texteditor': new_value = texteditor_escape(_get_value) else: new_value = html_escape(_get_value) else: new_value = html_escape(_get_value, True) new_value_list.append(new_value) data_copy.setlist(_get_key, new_value_list) return data_copy
def my_applys(request): """ 对django 模型跨表查询 不怎么熟悉 暂且使用 后期视性能优化 :param request: :return: """ # 过滤字段获取 apply_award_f = html_escape(request.GET.get('apply_award')) check_state_f = html_escape(request.GET.get('check_state')) start_time_f = html_escape(request.GET.get('start_time')) end_time_f = html_escape(request.GET.get('end_time')) apply_query_list = [] is_not = False if apply_award_f is not None: apply_query_list.append(Q(award__name__contains=apply_award_f)) uin = request.COOKIES.get('uin', '') user_qq = transform_uin(uin) user = request.user if check_state_f is not None: if check_state_f == '-1': # temp_sql_list.append('`my_applys`.`state` is null ') is_not = True else: # temp_sql_list.append('`my_applys`.`state` = %s') apply_query_list.append(Q(state=check_state_f)) if start_time_f is not None and end_time_f is not None: apply_query_list.append( Q(apply_time__range=( datetime.datetime.strptime(start_time_f, "%Y-%m-%d"), datetime.datetime.strptime(end_time_f, "%Y-%m-%d")))) # if len(apply_query_list) > 0 or check_state_f is not None: # apply_query_sql_where = ' where (' + \ # ' or '.join(temp_sql_list) + ') and' # else: # apply_query_sql_where = ' where ' applys = get_my_apply(user, user_qq, apply_query_list, is_not) paginator = Paginator(applys, 10) page = request.GET.get('page', 1) try: my_applys = paginator.page(page) except PageNotAnInteger: my_applys = paginator.page(1) except EmptyPage: my_applys = paginator.page(paginator.count) return render_json({ 'counts': paginator.count, 'my_applys': my_applys.object_list })
def handel_response(self, request, response): """ 登录验证中统一的response处理方法,统一处理 cookie、session 等 """ # 获取 openid openkey openid = request.GET.get('openid', '') openkey = request.GET.get('openkey', '') if openid and openkey: # 验证 openid 和 openkey openid = html_escape(openid) openkey = html_escape(openkey) response.set_cookie('openid', openid, path=self._config.SITE_URL) response.set_cookie('openkey', openkey, path=self._config.SITE_URL) return response
def __escape_data(self, path, query_dict, escape_type=None): """ GET/POST参数转义 """ data_copy = query_dict.copy() for _get_key, _get_value_list in data_copy.lists(): new_value_list = [] for _get_value in _get_value_list: new_value = _get_value # json串不进行转义 try: json.loads(_get_value) is_json = True except Exception, e: is_json = False # 转义新数据 if not is_json: try: if escape_type is None: use_type = self.__filter_param(path, _get_key) else: use_type = escape_type if use_type == 'url': new_value = url_escape(_get_value) elif use_type == 'script': new_value = check_script(_get_value, 1) elif use_type == 'name': new_value = html_escape_name(_get_value) elif _get_key in self.__escape_param_list: new_value = _get_value else: new_value = html_escape(_get_value, 1) except Exception, e: logger.error(u"CheckXssMiddleware GET/POST参数 转换失败!%s" % e) new_value = _get_value else: try: new_value = html_escape(_get_value, 1, True) except Exception, e: logger.error(u"CheckXssMiddleware GET/POST参数 转换失败!%s" % e) new_value = _get_value
def awards(request): # 过滤字段 organization_f = html_escape(request.GET.get('organization')) apply_award_f = html_escape(request.GET.get('apply_award')) check_state_f = html_escape(request.GET.get('check_state')) start_time_f = html_escape(request.GET.get('start_time')) end_time_f = html_escape(request.GET.get('end_time')) query_list = [] if organization_f is not None: query_list.append(Q(organization__name__contains=organization_f)) if apply_award_f is not None: query_list.append(Q(name__contains=apply_award_f)) if check_state_f is not None: check_state_f = True if check_state_f == '1' else False query_list.append(Q(is_active=check_state_f)) if start_time_f is not None and end_time_f is not None: query_list.append( Q(start_time__gt=datetime.datetime.strptime( start_time_f, "%Y-%m-%d")) & Q(end_time__lt=datetime.datetime.strptime(end_time_f, "%Y-%m-%d"))) if len(query_list) > 0: award_all = Awards.objects.filter( reduce(operator.or_, query_list), soft_del=False, organization__soft_del=False).order_by('-id').all().select_related( 'organization') else: award_all = Awards.objects.filter( soft_del=False, organization__soft_del=False).order_by( '-id').all().select_related('organization') paginator = Paginator(award_all, 10) page = request.GET.get('page', 1) try: awards = paginator.page(page) except PageNotAnInteger: awards = paginator.page(1) except EmptyPage: awards = paginator.page(paginator.count) return render_json({ 'counts': paginator.count, 'awards': Awards.to_array(awards) })
def __escape_data(self, path, query_dict, escape_type=None): """ GET/POST参数转义 """ data_copy = query_dict.copy() new_data = {} for _get_key, _get_value in data_copy.items(): # json串不进行转义 try: to_json = json.loads(_get_value) is_json = True except Exception as e: is_json = False # 转义新数据 if not is_json: try: if escape_type == None: use_type = self.__filter_param(path, _get_key) else: use_type = escape_type if use_type == 'url': new_data[_get_key] = url_escape(_get_value) elif use_type == 'script': new_data[_get_key] = check_script(_get_value, 1) elif use_type == 'name': new_data[_get_key] = html_escape_name(_get_value) else: new_data[_get_key] = html_escape(_get_value, 1) except Exception as e: logger.error(u"CheckXssMiddleware GET/POST参数 转换失败!%s" % e) new_data[_get_key] = _get_value else: try: new_data[_get_key] = html_escape(_get_value, 1, True) except Exception as e: logger.error(u"CheckXssMiddleware GET/POST参数 转换失败!%s" % e) new_data[_get_key] = _get_value # update 数据 data_copy.update(new_data) return data_copy
def valid_organization(data): if data['name'] != '': pass # if re.match( # r'^[\s\u4e00-\u9fa5a-z0-9_-]{0,}$', # data['name']) is not None: # raise Exception(u'含有非法字符') else: raise InvalidData(u'组织名字不能为空') if len(data['head']) == 0 or len(data['eva_member']) == 0: raise InvalidData(u'负责人或评价人员不能为空') data = json.loads(html_escape(json.dumps(data), is_json=True))
def valid_award(data): if data['name'] != '': pass else: raise InvalidData(u'奖项名字不能为空') if data['begin_time'] > data['end_time']: raise InvalidData(u'开始时间不能晚于结束时间') for k, v in data.items(): if v == '' or v is None: raise InvalidData(u'不能为空') # 验证时xss富文本过滤 parser = XssHtml() parser.feed(data['requirement']) parser.close() data['requirement'] = parser.getHtml() data['name'] = html_escape(data['name'])
def login_success(self, request): """ qq登录成功页面 """ uin = request.COOKIES.get('uin', '') skey = request.COOKIES.get('skey', '') # 将uin转成qq号 uin = self.transform_uin(uin) # 获取用户的 openid openid, openkey = self.get_openid_by_uin(request, uin, skey) if not self.verify_openid(request, openid, openkey): return render_mako_context(request, self._config.LOGIN_FAIL_TEMPLATE) # 原始请求是否为ajxa请求 is_ajax = request.GET.get('is_ajax', '1') refer_url = request.GET.get('refer_url', '') redirect = request.GET.get("redirect", None) # 对参数做校验 try: is_ajax = html_escape(is_ajax) # 回调url不存在或不在当前域名下则跳转到首页 if not refer_url or not is_url_in_domain(refer_url): refer_url = self._config.S_URL else: refer_url = url_escape(refer_url) except: is_ajax = 1 refer_url = self._config.S_URL if redirect: response = HttpResponseRedirect(refer_url) response.set_cookie('openid', openid, path=self._config.SITE_URL) response.set_cookie('openkey', openkey, path=self._config.SITE_URL) return response ctx = {'is_ajax': is_ajax, 'refer_url': refer_url} # 将用户头像和昵称放到session中 response = render_mako_context(request, self._config.LOGIN_SUCCESS_TEMPLATE, ctx) response.set_cookie('openid', openid, path=self._config.SITE_URL) response.set_cookie('openkey', openkey, path=self._config.SITE_URL) return response
def valid_award(data): if data['name'] != '': pass # if re.match( # r'^[\s\u4e00-\u9fa5a-z0-9_-]{0,}$', # data['name']) is not None: # raise Exception(u'含有非法字符') else: raise InvalidData(u'奖项名字不能为空') for k, v in data.items(): if v == '' or v is None: raise InvalidData(u'不能为空') # 验证时xss富文本过滤 parser = XssHtml() parser.feed(data['content']) parser.close() data['content'] = parser.getHtml() data['name'] = html_escape(data['name'])
def valid_decide(data): for k, v in data.items(): if v == '' or v is None: raise InvalidData(u'不能为空') data = json.loads(html_escape(json.dumps(data), is_json=True))