This will help to secure the sensitive secrets, token, api keys, etc from logger. As we know there is security issue when we include the sensitive information to the logger in case logger got leaked/hacked. Before: ``` INFO ('192.168.1.1', 33321) - "WebSocket /ssh?token=abcdefg&width=20&heigh20" ``` After: ``` INFO ('192.168.1.1', 33321) - "WebSocket /ssh?token=********&width=20&heigh20" ```
Usefull for TinyMCE, to allow some HTML but be vunarable by XXS attacks You need to install html5lib sudo easy_install html5lib
A middleware which will protect from page hammering using flexible spanning time windows using the cache backend. Please read the Docstring of the class for details.
This is a small and useful decorator that you can use to protect yourself from bad users or bots hitting your site.
Middleware to set "sessionid" (ou your session cookie) with httponly (see ["Django bug report"](http://code.djangoproject.com/ticket/3304)). To work, you need put it before "SessionMiddleware"
This is a quick hack to address the SSL info leakage covered here: http://www.freedom-to-tinker.com/blog/felten/side-channel-leaks-web-applications Don't use this in prod without testing. :-) I'll get some feedback from django-dev and update here.
CIDR ( http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing ) is a well-known IP range syntax. This CIDR_LIST class can be used to make ranges of IPs considered "internal" for Django's debugging and security purposes. (Django only ever needs to do "ip in INTERNAL_IPS" so __contains__ is sufficient for the purpose.) For example, to make localhost and the entire block of 10.0.0.* considered to be internal, use: INTERNAL_IPS = CIDR_LIST([ '127.0.0.1', '10.0.0.0/24' ])
Reworked version of [this snippet](http://www.djangosnippets.org/snippets/205/) that now accepts an argument so the user can specify which tags to allow, and which attributes should be allowed for each tag. Argument should be in form `tag2:attr1:attr2 tag2:attr1 tag3`, where tags are allowed HTML tags, and attrs are the allowed attributes for that tag. It also uses code from [this post on stack overflow](http://stackoverflow.com/questions/16861/sanitising-user-input-using-python) to add XSS protection.
For disabling autocomplete and security purpose, this snippet defines a CharField with a randomness name for each request of the form. This is useful for turning off autocomplete for credit card input in all browsers, without breaking the xhtml validation. * [https://wiki.mozilla.org/The_autocomplete_attribute_and_web_documents_using_XHTML#Security](https://wiki.mozilla.org/The_autocomplete_attribute_and_web_documents_using_XHTML#Security) * [http://en.wikipedia.org/wiki/Cryptographic_nonce](http://en.wikipedia.org/wiki/Cryptographic_nonce)
This dead-simple piece of middleware adds a terrific security feature to django authentication. Currently, users who's accounts are de-activated still may have a cookie and a login session. This middleware destroys that session on their next request. Simply add this class into a middleware.py and add it to your settings.
This security field is based on the perception that spambots post data to forms in very short or very long regular intervals of time, where it takes reasonable time to fill in a form and to submit it for human beings. Instead of captcha images or Ajax-based security interaction, the SecurityField checks the time of rendering the form, and the time when it was submitted. If the interval is within the specific range (for example, from 5 seconds till 1 hour), then the submitter is considered as a human being. Otherwise the form doesn't validate. Usage example: class TestForm(forms.Form): prevent_spam = SecurityField() # ... other fields ... The concept works only for unbounded forms.
Sometimes it's useful to sign data to ensure the user does not tamper with it - for example, cookies or hidden form variables. SHA1 is cryptographically secure but weighs in at 40 characters, which is pretty long if you're going to be passing the data around in a URL or a cookie. These functions knock an SHA1 hash down to just 27 characters, thanks to a base65 encoding that only uses URL-safe characters (defined as characters which are unmodified by Python's urllib.urlencode function). This compressed hash can then be passed around in cookies or URLs, and uncompressed again when the signature needs to be checked. UPDATE: You probably shouldn't use this; see [http://fi.am/entry/urlsafe-base64-encodingdecoding-in-two-lines/](http://fi.am/entry/urlsafe-base64-encodingdecoding-in-two-lines/) for a smarter approach based on Python's built-in base64 module.
This code works like that in the Google Groups you see and when try to see an e-mail and it is like this "[email protected]" with a link to write a captcha code and see the true value. You can use it for anything you want: links, blocks of texts, block of HTML, etc. To use in your template, place the a code like this (remember to load the template tags file with a {% load file_name %} before): {% protectantirobots %} <a href="mailto: {{ office.email }}">{{ office.email }}</a> {% endprotectantirobots %} You can also use **django-plus** application to do this: [http://code.google.com/p/django-plus/](http://code.google.com/p/django-plus/)
When using a JavaScript WYSIWYG editor widget for text area content, the resulting HTML should be sanitized so no unallowed HTML tags (esp. script tags) are present. The [BeautifulSoup](http://www.crummy.com/software/BeautifulSoup/) library handles HTML processing in the solution presented above, so you should place it in the Python path. The snippet also assumes that you have [the Dojo Toolkit](http://dojotoolkit.org/) and its Editor2 widget loaded on your page. **Note**: this snippet was originally written for use with Dojo Toolkit 0.4, and it hasn't been updated for 0.9 or 1.0.