from random import choice from django.forms import MultiWidget, TextInput, HiddenInput, MultiValueField, CharField from django.utils.safestring import mark_safe class NonceInput(MultiWidget): def __init__(self, attrs=None): allowed_chars = "abcdefghjkmnpqrstuvwxyzABCDEFGHJKLMNPQRSTUVWXYZ23456789" self.nonce = ''.join([choice(allowed_chars) for i in range(20)]) try: del attrs['autocomplete'] except: pass widgets = (TextInput(attrs=attrs), HiddenInput(attrs=attrs)) super(NonceInput, self).__init__(widgets, attrs) def value_from_datadict(self, data, files, name): # hidden field nonce_name = self.widgets[1].value_from_datadict(data, files, name + '_1') value_field = self.widgets[0].value_from_datadict(data, files, nonce_name) return [value_field, nonce_name] def render(self, name, value, attrs=None): # value is a list of values, each corresponding to a widget # in self.widgets. output = [] final_attrs = self.build_attrs(attrs) id_ = final_attrs.get('id', None) nonce_name = name + '_%s' % self.nonce if id_: final_attrs = dict(final_attrs, id='%s_0' % id_) output.append(self.widgets[0].render(nonce_name, value, final_attrs)) if id_: final_attrs = dict(final_attrs, id='%s_1' % id_) output.append(self.widgets[1].render(name + '_1', nonce_name, final_attrs)) return mark_safe(self.format_output(output)) def decompress(self, value): return [value, self.nonce] class NonceField(MultiValueField): """Defines a CharField with a randomness name for disabling autocomplete and security purpose. https://wiki.mozilla.org/The_autocomplete_attribute_and_web_documents_using_XHTML#Security http://en.wikipedia.org/wiki/Cryptographic_nonce """ widget = NonceInput def __init__(self, *args, **kwargs): fields = ( CharField(), CharField() ) super(NonceField, self).__init__(fields, *args, **kwargs) def compress(self, data_list): try: return data_list[0] except: None