七日Python之路--第九天

    众所周知，代码这东西不是看出来的。程序这东西只哟一个标准。

    下面找点开源的东西看看，学习一下大婶们的犀利编码......

    推荐一下：

        虽然有点老了：http://www.iteye.com/topic/405150，还有就是GitHub上面搜索一下Django就能出来不少，固然还有OSChina。只是有个问题，就是Django版本不一样，具体的内容可能会有些不一样，但大概仍是相同的。领略便可，而后书写本身的代码。

    首要的仍是官方文档。

---

    看着仍是有些难度的。偶然发现一个不错的Blog：http://www.dannysite.com/ 使用Django搭建

    源码：https://github.com/manyunkai/dannysite.com

    OK，原本就有意要建立一个Blog的，如今连例子也都有了....以前使用Java建过一个Blog，只是功能不多，如今有机会了。这周的任务就是继续学习Django 而后 再把 Blog 搭建起来.......吼吼！

                                                                                       --2014年07月29日19:14:04

---

（一）csrf 

    The CSRF middleware and template tag provides easy-to-use protection againstCross Site Request Forgeries.  This type of attack occurs when a malicious Web site contains a link, a form button or some javascript that is intended to perform some action on your Web site, using the credentials of a logged-in user who visits the malicious site in their browser.  A related type of attack, ‘login CSRF’, where an attacking site tricks a user’s browser into logging into a site with someone else’s credentials, is also covered.

1. Add the middleware'django.middleware.csrf.CsrfViewMiddleware' to your list of middleware classes, MIDDLEWARE_CLASSES.  (It should come before any view middleware that assume that CSRF attacks have been dealt with.)

   Alternatively, you can use the decoratorcsrf_protect() on particular views you want to protect (see below).

2. In any template that uses a POST form, use the csrf_token tag inside the <form> element if the form is for an internal URL, e.g.:

   <form action="." method="post">{% csrf_token %}

   This should not be done for POST forms that target external URLs, since that would cause the CSRF token to be leaked, leading to a vulnerability.

3. In the corresponding view functions, ensure that the'django.core.context_processors.csrf' context processor is being used. Usually, this can be done in one of two ways:

1. Use RequestContext, which always uses'django.core.context_processors.csrf' (no matter what your TEMPLATE_CONTEXT_PROCESSORS setting).  If you are using generic views or contrib apps, you are covered already, since these apps use RequestContext throughout.

2. Manually import and use the processor to generate the CSRF token and add it to the template context. e.g.:

   from django.core.context_processors import csrffrom django.shortcuts import render_to_responsedef my_view(request):
       c = {}
       c.update(csrf(request))
       # ... view code here
       return render_to_response("a_template.html", c)

   You may want to write your ownrender_to_response() wrapper that takes care of this step for you.

   The utility script extras/csrf_migration_helper.py (located in the Django distribution, but not installed) can help to automate the finding of code and templates that may need these steps. It contains full help on how to use it.

至于AJAX，之后再说吧。下面将开始Django及Blog的编写。

                                                                               -- 2014年07月29日21:02:21