def __escape_data(self, path, query_dict, escape_type=None):
"""
GET/POST参数转义
"""
data_copy = query_dict.copy()
new_data = {}
for _get_key, _get_value in data_copy.items():
# json串不进行转义
try:
json.loads(_get_value)
is_json = True
except Exception, e:
is_json = False
# 转义新数据
if not is_json:
if escape_type is None:
use_type = self.__filter_param(path, _get_key)
else:
use_type = escape_type
if use_type == 'url':
new_data[_get_key] = url_escape(_get_value)
elif use_type == 'texteditor':
new_data[_get_key] = texteditor_escape(_get_value)
else:
new_data[_get_key] = html_escape(_get_value)
else:
new_data[_get_key] = html_escape(_get_value, True)
def __escape_data(self, path, query_dict, escape_type=None):
"""
GET/POST参数转义
"""
data_copy = query_dict.copy()
new_data = {}
for _get_key, _get_value in data_copy.items():
# json串不进行转义
try:
json.loads(_get_value)
is_json = True
except Exception, e:
is_json = False
# 转义新数据
if not is_json:
if escape_type is None:
use_type = self.__filter_param(path, _get_key)
else:
use_type = escape_type
if use_type == 'url':
new_data[_get_key] = url_escape(_get_value)
elif use_type == 'texteditor':
new_data[_get_key] = texteditor_escape(_get_value)
else:
new_data[_get_key] = html_escape(_get_value)
else:
new_data[_get_key] = html_escape(_get_value, True)
def __escape_data(self, path, query_dict, escape_type=None):
"""
GET/POST参数转义
"""
data_copy = query_dict.copy()
for _get_key, _get_value_list in data_copy.lists():
new_value_list = []
for _get_value in _get_value_list:
new_value = _get_value
# json串不进行转义
try:
json.loads(_get_value)
is_json = True
except:
is_json = False
# 转义新数据
if not is_json:
if escape_type is None:
use_type = self.__filter_param(path, _get_key)
else:
use_type = escape_type
if use_type == 'url':
new_value = url_escape(_get_value)
elif use_type == 'texteditor':
new_value = texteditor_escape(_get_value)
else:
new_value = html_escape(_get_value)
else:
new_value = html_escape(_get_value, True)
new_value_list.append(new_value)
data_copy.setlist(_get_key, new_value_list)
return data_copy
def __escape_data(self, path, query_dict, escape_type=None):
"""
GET/POST参数转义
"""
data_copy = query_dict.copy()
for _get_key, _get_value_list in data_copy.lists():
new_value_list = []
for _get_value in _get_value_list:
new_value = _get_value
# json串不进行转义
try:
json.loads(_get_value)
is_json = True
except:
is_json = False
# 转义新数据
if not is_json:
if escape_type is None:
use_type = self.__filter_param(path, _get_key)
else:
use_type = escape_type
if use_type == 'url':
new_value = url_escape(_get_value)
elif use_type == 'texteditor':
new_value = texteditor_escape(_get_value)
else:
new_value = html_escape(_get_value)
else:
new_value = html_escape(_get_value, True)
new_value_list.append(new_value)
data_copy.setlist(_get_key, new_value_list)
return data_copy
def my_applys(request):
"""
对django 模型跨表查询 不怎么熟悉 暂且使用 后期视性能优化
:param request:
:return:
"""
# 过滤字段获取
apply_award_f = html_escape(request.GET.get('apply_award'))
check_state_f = html_escape(request.GET.get('check_state'))
start_time_f = html_escape(request.GET.get('start_time'))
end_time_f = html_escape(request.GET.get('end_time'))
apply_query_list = []
is_not = False
if apply_award_f is not None:
apply_query_list.append(Q(award__name__contains=apply_award_f))
uin = request.COOKIES.get('uin', '')
user_qq = transform_uin(uin)
user = request.user
if check_state_f is not None:
if check_state_f == '-1':
# temp_sql_list.append('`my_applys`.`state` is null ')
is_not = True
else:
# temp_sql_list.append('`my_applys`.`state` = %s')
apply_query_list.append(Q(state=check_state_f))
if start_time_f is not None and end_time_f is not None:
apply_query_list.append(
Q(apply_time__range=(
datetime.datetime.strptime(start_time_f, "%Y-%m-%d"),
datetime.datetime.strptime(end_time_f, "%Y-%m-%d"))))
# if len(apply_query_list) > 0 or check_state_f is not None:
# apply_query_sql_where = ' where (' + \
# ' or '.join(temp_sql_list) + ') and'
# else:
# apply_query_sql_where = ' where '
applys = get_my_apply(user, user_qq, apply_query_list, is_not)
paginator = Paginator(applys, 10)
page = request.GET.get('page', 1)
try:
my_applys = paginator.page(page)
except PageNotAnInteger:
my_applys = paginator.page(1)
except EmptyPage:
my_applys = paginator.page(paginator.count)
return render_json({
'counts': paginator.count,
'my_applys': my_applys.object_list
})
def handel_response(self, request, response):
"""
登录验证中统一的response处理方法,统一处理 cookie、session 等
"""
# 获取 openid openkey
openid = request.GET.get('openid', '')
openkey = request.GET.get('openkey', '')
if openid and openkey:
# 验证 openid 和 openkey
openid = html_escape(openid)
openkey = html_escape(openkey)
response.set_cookie('openid', openid, path=self._config.SITE_URL)
response.set_cookie('openkey', openkey, path=self._config.SITE_URL)
return response
def __escape_data(self, path, query_dict, escape_type=None):
"""
GET/POST参数转义
"""
data_copy = query_dict.copy()
for _get_key, _get_value_list in data_copy.lists():
new_value_list = []
for _get_value in _get_value_list:
new_value = _get_value
# json串不进行转义
try:
json.loads(_get_value)
is_json = True
except Exception, e:
is_json = False
# 转义新数据
if not is_json:
try:
if escape_type is None:
use_type = self.__filter_param(path, _get_key)
else:
use_type = escape_type
if use_type == 'url':
new_value = url_escape(_get_value)
elif use_type == 'script':
new_value = check_script(_get_value, 1)
elif use_type == 'name':
new_value = html_escape_name(_get_value)
elif _get_key in self.__escape_param_list:
new_value = _get_value
else:
new_value = html_escape(_get_value, 1)
except Exception, e:
logger.error(u"CheckXssMiddleware GET/POST参数 转换失败!%s" %
e)
new_value = _get_value
else:
try:
new_value = html_escape(_get_value, 1, True)
except Exception, e:
logger.error(u"CheckXssMiddleware GET/POST参数 转换失败!%s" %
e)
new_value = _get_value
def awards(request):
# 过滤字段
organization_f = html_escape(request.GET.get('organization'))
apply_award_f = html_escape(request.GET.get('apply_award'))
check_state_f = html_escape(request.GET.get('check_state'))
start_time_f = html_escape(request.GET.get('start_time'))
end_time_f = html_escape(request.GET.get('end_time'))
query_list = []
if organization_f is not None:
query_list.append(Q(organization__name__contains=organization_f))
if apply_award_f is not None:
query_list.append(Q(name__contains=apply_award_f))
if check_state_f is not None:
check_state_f = True if check_state_f == '1' else False
query_list.append(Q(is_active=check_state_f))
if start_time_f is not None and end_time_f is not None:
query_list.append(
Q(start_time__gt=datetime.datetime.strptime(
start_time_f, "%Y-%m-%d")) &
Q(end_time__lt=datetime.datetime.strptime(end_time_f, "%Y-%m-%d")))
if len(query_list) > 0:
award_all = Awards.objects.filter(
reduce(operator.or_, query_list),
soft_del=False,
organization__soft_del=False).order_by('-id').all().select_related(
'organization')
else:
award_all = Awards.objects.filter(
soft_del=False, organization__soft_del=False).order_by(
'-id').all().select_related('organization')
paginator = Paginator(award_all, 10)
page = request.GET.get('page', 1)
try:
awards = paginator.page(page)
except PageNotAnInteger:
awards = paginator.page(1)
except EmptyPage:
awards = paginator.page(paginator.count)
return render_json({
'counts': paginator.count,
'awards': Awards.to_array(awards)
})
def __escape_data(self, path, query_dict, escape_type=None):
"""
GET/POST参数转义
"""
data_copy = query_dict.copy()
new_data = {}
for _get_key, _get_value in data_copy.items():
# json串不进行转义
try:
to_json = json.loads(_get_value)
is_json = True
except Exception as e:
is_json = False
# 转义新数据
if not is_json:
try:
if escape_type == None:
use_type = self.__filter_param(path, _get_key)
else:
use_type = escape_type
if use_type == 'url':
new_data[_get_key] = url_escape(_get_value)
elif use_type == 'script':
new_data[_get_key] = check_script(_get_value, 1)
elif use_type == 'name':
new_data[_get_key] = html_escape_name(_get_value)
else:
new_data[_get_key] = html_escape(_get_value, 1)
except Exception as e:
logger.error(u"CheckXssMiddleware GET/POST参数 转换失败!%s" % e)
new_data[_get_key] = _get_value
else:
try:
new_data[_get_key] = html_escape(_get_value, 1, True)
except Exception as e:
logger.error(u"CheckXssMiddleware GET/POST参数 转换失败!%s" % e)
new_data[_get_key] = _get_value
# update 数据
data_copy.update(new_data)
return data_copy
def valid_organization(data):
if data['name'] != '':
pass
# if re.match(
# r'^[\s\u4e00-\u9fa5a-z0-9_-]{0,}$',
# data['name']) is not None:
# raise Exception(u'含有非法字符')
else:
raise InvalidData(u'组织名字不能为空')
if len(data['head']) == 0 or len(data['eva_member']) == 0:
raise InvalidData(u'负责人或评价人员不能为空')
data = json.loads(html_escape(json.dumps(data), is_json=True))
def valid_award(data):
if data['name'] != '':
pass
else:
raise InvalidData(u'奖项名字不能为空')
if data['begin_time'] > data['end_time']:
raise InvalidData(u'开始时间不能晚于结束时间')
for k, v in data.items():
if v == '' or v is None:
raise InvalidData(u'不能为空')
# 验证时xss富文本过滤
parser = XssHtml()
parser.feed(data['requirement'])
parser.close()
data['requirement'] = parser.getHtml()
data['name'] = html_escape(data['name'])
def login_success(self, request):
"""
qq登录成功页面
"""
uin = request.COOKIES.get('uin', '')
skey = request.COOKIES.get('skey', '')
# 将uin转成qq号
uin = self.transform_uin(uin)
# 获取用户的 openid
openid, openkey = self.get_openid_by_uin(request, uin, skey)
if not self.verify_openid(request, openid, openkey):
return render_mako_context(request, self._config.LOGIN_FAIL_TEMPLATE)
# 原始请求是否为ajxa请求
is_ajax = request.GET.get('is_ajax', '1')
refer_url = request.GET.get('refer_url', '')
redirect = request.GET.get("redirect", None)
# 对参数做校验
try:
is_ajax = html_escape(is_ajax)
# 回调url不存在或不在当前域名下则跳转到首页
if not refer_url or not is_url_in_domain(refer_url):
refer_url = self._config.S_URL
else:
refer_url = url_escape(refer_url)
except:
is_ajax = 1
refer_url = self._config.S_URL
if redirect:
response = HttpResponseRedirect(refer_url)
response.set_cookie('openid', openid, path=self._config.SITE_URL)
response.set_cookie('openkey', openkey, path=self._config.SITE_URL)
return response
ctx = {'is_ajax': is_ajax, 'refer_url': refer_url}
# 将用户头像和昵称放到session中
response = render_mako_context(request, self._config.LOGIN_SUCCESS_TEMPLATE, ctx)
response.set_cookie('openid', openid, path=self._config.SITE_URL)
response.set_cookie('openkey', openkey, path=self._config.SITE_URL)
return response
def valid_award(data):
if data['name'] != '':
pass
# if re.match(
# r'^[\s\u4e00-\u9fa5a-z0-9_-]{0,}$',
# data['name']) is not None:
# raise Exception(u'含有非法字符')
else:
raise InvalidData(u'奖项名字不能为空')
for k, v in data.items():
if v == '' or v is None:
raise InvalidData(u'不能为空')
# 验证时xss富文本过滤
parser = XssHtml()
parser.feed(data['content'])
parser.close()
data['content'] = parser.getHtml()
data['name'] = html_escape(data['name'])
def valid_decide(data):
for k, v in data.items():
if v == '' or v is None:
raise InvalidData(u'不能为空')
data = json.loads(html_escape(json.dumps(data), is_json=True))
