In browsers like chrome and firefox, if you type something like this into the address line:
http://mysite.com/q?name=喇叭嘴
they help you encode the url into:
http://mysite.com/?q=%E5%96%87%E5%8F%AD%E5%98%B4
So, in django, you can just use:
request.GET.get('q', '')
to get the value '喇叭嘴'.
However, this thing does not happen in IE(msie, thanks). That's why we keep on getting ��� instead.
With ajax handling, I can just use JavaScript encodeURI() Function to work around with it. However, triggering it every time is such a pain.
Is there any way to handle the issue in the backend?
Related
I'm trying to find something that will return an exception upon finding anything that even remotely looks like HTML or Javascript. I've figured out how to do it for individual views, but it's not a scalable solution, and ultimately I need to prevent code from being saved to the database no matter what view gets targeted by the injection attack.
Here is the functionality I'm looking for.
ILLEGAL_CHARS = '<>[]{}():;,'.split()
# bunch of code in between
for value in [company_name, url, status, information, lt_type, company_source]:
if any(char in value for char in ILLEGAL_CHARS):
raise Exception(f"You passed one of several illegal characters: {ILLEGAL_CHARS}")
I'm using django rest framework so I have to handle it on the backend. Thanks.
actually you don't nead to sanitize any user input because when you show them int the template the jinja {{object}} will make sure that no html or java script will be executed until you mark them as safe {{object|safe}} but if you want want not to save them in database that might help Sanitizing HTML in submitted form data
I am using redirectTo() function with params to redirect to another pages with a query string in the url. For security purpose this does not look appealing because the user can change the parameters in the url, thus altering what is inserted into the database.
My code is:
redirectTo(action="checklist", params="r=#r#&i=#insp#&d=#d#");
Is there anyway around this? I am not using a forms, I just wish to redirect and I want the destination action/Controller to know what I am passing but not display it in the url.
You can obfuscate the variables in the URL. CfWheels makes this really easy.
All you have to do is call set(obfuscateURLs=true) in the config/settings.cfm file to turn on URL obfuscation.
I am sure this works with linkTo() function. I hope it works with RedirectTo() funcation as well. I do not have a set up to check it now. But if doesn't work for RedirectTo(), you can obfuscateParam() and deObfuscateParam() functions to do job for you.
Caution: This will only make harder for user to guess the value. It doesn't encrypt value.
To know more about this, Please read the document configuration and defaults and obfuscating url
A much better approach to this particular situation is to write params to the [flash].1 The flash is exactly the same thing as it is in Ruby on Rails or the ViewBag in ASP.Net. It stores the data in a session or cookie variable and is deleted at the end of the next page's load. This prevents you from posting back long query strings like someone that has been coding for less than a year. ObfuscateParam only works with numbers and is incredibly insecure. Any power user can easily deobfuscate, even more so with someone that actually makes a living stealing data.
I'm using django_haystack with Solr 4.9. I've amended the /select request handler so that all requests use dismax by default.
The problem is that sometimes I would like to query specific fields, but I can't find a way to get the SearchQuerySet api to get it to play nicely with dismax. So basically I want to send the following (or equivalent) request to Solr:q=hello&qf=content_auto
I've tried the following aproaches:
Standard Api
SearchQuerySet().filter(content_auto='hello')
# understandably results in the following being sent to solr:
q=content_auto:hello
AltParser
query = AltParser('dismax', 'hello', qf="content_auto")
sqs = SearchQuerySet().filter(content=query)
# Results in
q=(_query_:"{!dismax+qf%3Dcontent_auto}hello")
Raw
query = Raw('hello&qf=content_auto')
# results in
q=hello%26qf%3Dcontent_auto
The last approach was so close, but since it escaped the = and & it doesn't seem to process the query correctly.
What is the best approach to dealing with this? I have no need for non-dismax querying so it would be preferable to keep the /select request handler the same rather than having to wrap every query in a Raw or AltParser.
In short, the answer is that it can't be done without creating a custom backend and SearchQuerySet. In the end I had to just revert back to a standard configuration and specifying dismax with an AltParser, slightly annoying because it affects your spelling suggestions.
I am working on an application with some friends and the back end REST API is in django. I sometimes get huge blocks of html printed to the console in place of anything meaningful, when I call an API from my angular front end. I have done some googling and I can't seem to find an answer of how to turn this off and make django return just error strings or json or something instead. Can someone help me get rid of this html?
Try using: https://docs.djangoproject.com/en/1.7/topics/logging/#configuring-logging
This will let you configure the logging in your django project.
Your Django app is working in debug mode. Please try this.
Go to ../yourdjangoproject/yourdjangoproject/settings.py
and find line Debug = True. Making it Debug=False will stop it from spitting out huge html upon errors.
Another thing you can do to only see errors as nice api response strings is this:
Find the view function which is giving the error, which can be found through the same huge html error message or by checking the view for url in urls.py
Then surround the whole view in try except like this.
def your_api_view(bla):
try:
#all of the view code goes here
except Exception as e:
return Response({"Error":e})
This way the error message will be shown to you like normal api response string.
I want to insert a URL filter and I would like the URL to be hard to dechiffre.
For example .*porn\.* in a way maybe that it uses the ASCII code for the letters in hex form .
Of course, the example is obvious and I definately will leave that one as it is ;)
But for the others I would like them to be hard to read!
Thx!
You can use the $_GET function in PHP to pull an ID out of the URL and display it that way, similar to Youtube with their "watch?v=". I recently did one using "?id=49" (I only have a few pages ATM, I will have about 70 soon). What I did is use a database with a song_id to index the information. I use the same basic layout, but you can use the ID to access information wrapped in PHP so that it doesnt get sent to the browser but will still display the page you want.
Or if you really want it to look crazy, you could use a database using the SHA() or MD5() function to encrypt it.
and your display will look like /page.php?id=21a57f2fe765e1ae4a8bf15d73fc1bf2a533f547f2343d12a499d9c0592044d4.