def __escape_data(self, path, query_dict, escape_type=None):
"""
GET/POST参数转义
"""
data_copy = query_dict.copy()
for _get_key, _get_value_list in data_copy.lists():
new_value_list = []
for _get_value in _get_value_list:
new_value = _get_value
# json串不进行转义
try:
json.loads(_get_value)
is_json = True
except:
is_json = False
# 转义新数据
if not is_json:
if escape_type is None:
use_type = self.__filter_param(path, _get_key)
else:
use_type = escape_type
if use_type == 'url':
new_value = url_escape(_get_value)
elif use_type == 'texteditor':
new_value = texteditor_escape(_get_value)
else:
new_value = html_escape(_get_value)
else:
new_value = html_escape(_get_value, True)
new_value_list.append(new_value)
data_copy.setlist(_get_key, new_value_list)
return data_copy
def __escape_data(self, path, query_dict, escape_type=None):
"""
GET/POST参数转义
"""
data_copy = query_dict.copy()
new_data = {}
for _get_key, _get_value in data_copy.items():
# json串不进行转义
try:
json.loads(_get_value)
is_json = True
except Exception, e:
is_json = False
# 转义新数据
if not is_json:
if escape_type is None:
use_type = self.__filter_param(path, _get_key)
else:
use_type = escape_type
if use_type == 'url':
new_data[_get_key] = url_escape(_get_value)
elif use_type == 'texteditor':
new_data[_get_key] = texteditor_escape(_get_value)
else:
new_data[_get_key] = html_escape(_get_value)
else:
new_data[_get_key] = html_escape(_get_value, True)
def __escape_data(self, path, query_dict, escape_type=None):
"""
GET/POST参数转义
"""
data_copy = query_dict.copy()
new_data = {}
for _get_key, _get_value in data_copy.items():
# json串不进行转义
try:
json.loads(_get_value)
is_json = True
except Exception, e:
is_json = False
# 转义新数据
if not is_json:
if escape_type is None:
use_type = self.__filter_param(path, _get_key)
else:
use_type = escape_type
if use_type == 'url':
new_data[_get_key] = url_escape(_get_value)
elif use_type == 'texteditor':
new_data[_get_key] = texteditor_escape(_get_value)
else:
new_data[_get_key] = html_escape(_get_value)
else:
new_data[_get_key] = html_escape(_get_value, True)
def __escape_data(self, path, query_dict, escape_type=None):
"""
GET/POST参数转义
"""
data_copy = query_dict.copy()
for _get_key, _get_value_list in data_copy.lists():
new_value_list = []
for _get_value in _get_value_list:
new_value = _get_value
# json串不进行转义
try:
json.loads(_get_value)
is_json = True
except:
is_json = False
# 转义新数据
if not is_json:
if escape_type is None:
use_type = self.__filter_param(path, _get_key)
else:
use_type = escape_type
if use_type == 'url':
new_value = url_escape(_get_value)
elif use_type == 'texteditor':
new_value = texteditor_escape(_get_value)
else:
new_value = html_escape(_get_value)
else:
new_value = html_escape(_get_value, True)
new_value_list.append(new_value)
data_copy.setlist(_get_key, new_value_list)
return data_copy
def __escape_data(self, path, query_dict, escape_type=None):
"""
GET/POST参数转义
"""
data_copy = query_dict.copy()
for _get_key, _get_value_list in data_copy.lists():
new_value_list = []
for _get_value in _get_value_list:
new_value = _get_value
# json串不进行转义
try:
json.loads(_get_value)
is_json = True
except Exception, e:
is_json = False
# 转义新数据
if not is_json:
try:
if escape_type is None:
use_type = self.__filter_param(path, _get_key)
else:
use_type = escape_type
if use_type == 'url':
new_value = url_escape(_get_value)
elif use_type == 'script':
new_value = check_script(_get_value, 1)
elif use_type == 'name':
new_value = html_escape_name(_get_value)
elif _get_key in self.__escape_param_list:
new_value = _get_value
else:
new_value = html_escape(_get_value, 1)
except Exception, e:
logger.error(u"CheckXssMiddleware GET/POST参数 转换失败!%s" %
e)
new_value = _get_value
else:
try:
new_value = html_escape(_get_value, 1, True)
except Exception, e:
logger.error(u"CheckXssMiddleware GET/POST参数 转换失败!%s" %
e)
new_value = _get_value
def login_success(self, request):
"""
qq登录成功页面
"""
uin = request.COOKIES.get('uin', '')
skey = request.COOKIES.get('skey', '')
# 将uin转成qq号
uin = self.transform_uin(uin)
# 获取用户的 openid
openid, openkey = self.get_openid_by_uin(request, uin, skey)
if not self.verify_openid(request, openid, openkey):
return render_mako_context(request, self._config.LOGIN_FAIL_TEMPLATE)
# 原始请求是否为ajxa请求
is_ajax = request.GET.get('is_ajax', '1')
refer_url = request.GET.get('refer_url', '')
redirect = request.GET.get("redirect", None)
# 对参数做校验
try:
is_ajax = html_escape(is_ajax)
# 回调url不存在或不在当前域名下则跳转到首页
if not refer_url or not is_url_in_domain(refer_url):
refer_url = self._config.S_URL
else:
refer_url = url_escape(refer_url)
except:
is_ajax = 1
refer_url = self._config.S_URL
if redirect:
response = HttpResponseRedirect(refer_url)
response.set_cookie('openid', openid, path=self._config.SITE_URL)
response.set_cookie('openkey', openkey, path=self._config.SITE_URL)
return response
ctx = {'is_ajax': is_ajax, 'refer_url': refer_url}
# 将用户头像和昵称放到session中
response = render_mako_context(request, self._config.LOGIN_SUCCESS_TEMPLATE, ctx)
response.set_cookie('openid', openid, path=self._config.SITE_URL)
response.set_cookie('openkey', openkey, path=self._config.SITE_URL)
return response
def __escape_data(self, path, query_dict, escape_type=None):
"""
GET/POST参数转义
"""
data_copy = query_dict.copy()
new_data = {}
for _get_key, _get_value in data_copy.items():
# json串不进行转义
try:
to_json = json.loads(_get_value)
is_json = True
except Exception as e:
is_json = False
# 转义新数据
if not is_json:
try:
if escape_type == None:
use_type = self.__filter_param(path, _get_key)
else:
use_type = escape_type
if use_type == 'url':
new_data[_get_key] = url_escape(_get_value)
elif use_type == 'script':
new_data[_get_key] = check_script(_get_value, 1)
elif use_type == 'name':
new_data[_get_key] = html_escape_name(_get_value)
else:
new_data[_get_key] = html_escape(_get_value, 1)
except Exception as e:
logger.error(u"CheckXssMiddleware GET/POST参数 转换失败!%s" % e)
new_data[_get_key] = _get_value
else:
try:
new_data[_get_key] = html_escape(_get_value, 1, True)
except Exception as e:
logger.error(u"CheckXssMiddleware GET/POST参数 转换失败!%s" % e)
new_data[_get_key] = _get_value
# update 数据
data_copy.update(new_data)
return data_copy
