七日Python之路--第九天

    衆所周知，代碼這東西不是看出來的。程序這東西只喲一個標準。

    下面找點開源的東西看看，學習一下大嬸們的犀利編碼......

    推薦一下：

        雖然有點老了：http://www.iteye.com/topic/405150，還有就是GitHub上面搜索一下Django就能出來不少，固然還有OSChina。只是有個問題，就是Django版本不一樣，具體的內容可能會有些不一樣，但大概仍是相同的。領略便可，而後書寫本身的代碼。

    首要的仍是官方文檔。

---

    看着仍是有些難度的。偶然發現一個不錯的Blog：http://www.dannysite.com/ 使用Django搭建

    源碼：https://github.com/manyunkai/dannysite.com

    OK，原本就有意要建立一個Blog的，如今連例子也都有了....以前使用Java建過一個Blog，只是功能不多，如今有機會了。這周的任務就是繼續學習Django 而後 再把 Blog 搭建起來.......吼吼！

                                                                                       --2014年07月29日19:14:04

---

（一）csrf 

    The CSRF middleware and template tag provides easy-to-use protection againstCross Site Request Forgeries.  This type of attack occurs when a malicious Web site contains a link, a form button or some javascript that is intended to perform some action on your Web site, using the credentials of a logged-in user who visits the malicious site in their browser.  A related type of attack, ‘login CSRF’, where an attacking site tricks a user’s browser into logging into a site with someone else’s credentials, is also covered.

1. Add the middleware'django.middleware.csrf.CsrfViewMiddleware' to your list of middleware classes, MIDDLEWARE_CLASSES.  (It should come before any view middleware that assume that CSRF attacks have been dealt with.)

   Alternatively, you can use the decoratorcsrf_protect() on particular views you want to protect (see below).

2. In any template that uses a POST form, use the csrf_token tag inside the <form> element if the form is for an internal URL, e.g.:

   <form action="." method="post">{% csrf_token %}

   This should not be done for POST forms that target external URLs, since that would cause the CSRF token to be leaked, leading to a vulnerability.

3. In the corresponding view functions, ensure that the'django.core.context_processors.csrf' context processor is being used. Usually, this can be done in one of two ways:

1. Use RequestContext, which always uses'django.core.context_processors.csrf' (no matter what your TEMPLATE_CONTEXT_PROCESSORS setting).  If you are using generic views or contrib apps, you are covered already, since these apps use RequestContext throughout.

2. Manually import and use the processor to generate the CSRF token and add it to the template context. e.g.:

   from django.core.context_processors import csrffrom django.shortcuts import render_to_responsedef my_view(request):
       c = {}
       c.update(csrf(request))
       # ... view code here
       return render_to_response("a_template.html", c)

   You may want to write your ownrender_to_response() wrapper that takes care of this step for you.

   The utility script extras/csrf_migration_helper.py (located in the Django distribution, but not installed) can help to automate the finding of code and templates that may need these steps. It contains full help on how to use it.

至於AJAX，之後再說吧。下面將開始Django及Blog的編寫。

                                                                               -- 2014年07月29日21:02:21