1024programmer Java How to use universal views in Python’s Django framework

How to use universal views in Python’s Django framework

The way to use generic views is to create configuration dictionaries in the URLconf file, and then use these dictionaries as the third member of the URLconf tuple.

For example, here is a URLconf that renders a static About page:

 from django.conf.urls.defaults import *
 from django.views.generic.simple import direct_to_template

 urlpatterns = patterns('',
   (r'^about/$', direct_to_template, {
     'template': 'about.html'
   })
 )

 

Views that don’t require coding may seem a bit unbelievable at first glance! It’s exactly the same as the example in Chapter 8: the direct_to_template view simply gets the information passed directly from the extra parameters and uses it to render the view.

Because generic views are standard view functions, we can reuse them in our own views. For example, we extend the about example and change the mapped URL from /about// to a statically rendered about.html . We first modify the URL configuration to point to the new view function:

 from django.conf.urls.defaults import *
 from django.views.generic.simple import direct_to_template
 **from mysite.books.views import about_pages**

 urlpatterns = patterns('',
   (r'^about/$', direct_to_template, {
     'template': 'about.html'
   }),
   **(r'^about/(\w+)/$', about_pages),**
 )

 

Next, we write the code for the about_pages view:

 from django.http import Http404
 from django.template import TemplateDoesNotExist
 from django.views.generic.simple import direct_to_template

 def about_pages(request, page):
   try:
     return direct_to_template(request, template="about/%s.html" % page)
   except TemplateDoesNotExist:
     raise Http404()

 

Here we use direct_to_template like any other function. Since it returns an HttpResponse object, we simply return it. The only slightly tricky thing here is dealing with the case where the template is not found. We don’t want a non-existent template to cause a server-side error, so we catch the TemplateDoesNotExist exception and return a 404 error instead.

Are there any security issues here?

Eagle-eyed readers may have noticed a possible security vulnerability: we directly construct the template name using data obtained from the client browser (template=”about/%s.html” % page). At first glance, this looks like a classic directory traversal attack (see Chapter 20 for details). Is the truth really like this?

Not at all. Yes, a malicious page value can cause directory spanning, but even though page is fetched from the requested URL, not all values ​​will be accepted. This is the key to URL configuration: we use the regular expression \w+ to match page from the URL, and \w only accepts characters and numbers. Therefore, any malicious characters (such as dot . and forward slash / in this case) will be rejected when parsing the URL and will not be passed to the view function at all.

This article is from the internet and does not represent1024programmerPosition, please indicate the source when reprinting:https://www.1024programmer.com/787615

author: admin

Previous article
Next article

Leave a Reply

Your email address will not be published. Required fields are marked *

Contact Us

Contact us

181-3619-1160

Online consultation: QQ交谈

E-mail: [email protected]

Working hours: Monday to Friday, 9:00-17:30, holidays off

Follow wechat
Scan wechat and follow us

Scan wechat and follow us

Follow Weibo
Back to top
首页
微信
电话
搜索