",".\n \n ","Note: This is a harmless script that, if executed, will display an alert box in your browser. If the alert is displayed when you submit the record then the site is vulnerable to XSS threats.","Press Submit to save the record.","\n When you save the author it will be displayed as shown below. Because of the XSS protections the ","alert()"," should not be run. Instead the script is displayed as plain text.\n \n ","If you view the page HTML source code, you can see that the dangerous characters for the script tags have been turned into their harmless escape code equivalents (for example, "," is now ",">",")","html","<h1>\n Author: Boon<script>alert('Test alert');</script>, David\n (Boonie)\nh1>\n","Using Django templates protects you against the majority of XSS attacks. However it is possible to turn off this protection, and the protection isn't automatically applied to all tags that wouldn't normally be populated by user input (for example, the ","help_text"," in a form field is usually not user-supplied, so Django doesn't escape those values).","It is also possible for XSS attacks to originate from other untrusted source of data, such as cookies, Web services or uploaded files (whenever the data is not sufficiently sanitized before including in a page). If you're displaying data from these sources, then you may need to add your own sanitization code.","Cross site request forgery (CSRF) protection","CSRF attacks allow a malicious user to execute actions using the credentials of another user without that user's knowledge or consent. For example consider the case where we have a hacker who wants to create additional authors for our LocalLibrary.","Note: Obviously our hacker isn't in this for the money! A more ambitious hacker could use the same approach on other sites to perform much more harmful tasks (such as transferring money to their own accounts, and so on.)","\n In order to do this, they might create an HTML file like the one below, which contains an author-creation form (like the one we used in the previous section) that is submitted as soon as the file is loaded.\n They would then send the file to all the Librarians and suggest that they open the file (it contains some harmless information, honest!). If the file is opened by any logged in librarian, then the form would be submitted with their credentials and a new author would be created.\n","Run the development web server, and log in with your superuser account. Copy the text above into a file and then open it in the browser. You should get a CSRF error, because Django has protection against this kind of thing!","The way the protection is enabled is that you include the ","{% csrf_token %}"," template tag in your form definition. This token is then rendered in your HTML as shown below, with a value that is specific to the user on the current browser.","<input\n type=\"hidden\"\n name=\"csrfmiddlewaretoken\"\n value=\"0QRWHnYVg776y2l66mcvZqp8alrv4lb8S8lZ4ZJUWGZFA5VHrVfL2mpH29YZ39PW\" />","Django generates a user/browser specific key and will reject forms that do not contain the field, or that contain an incorrect field value for the user/browser.","To use this type of attack the hacker now has to discover and include the CSRF key for the specific target user. They also can't use the \"scattergun\" approach of sending a malicious file to all librarians and hoping that one of them will open it, since the CSRF key is browser specific.","Django's CSRF protection is turned on by default. You should always use the "," template tag in your forms and use "," for requests that might change or add data to the database.","Other protections","Django also provides other forms of protection (most of which would be hard or not particularly useful to demonstrate):","SQL injection protection","SQL injection vulnerabilities enable malicious users to execute arbitrary SQL code on a database, allowing data to be accessed, modified, or deleted irrespective of the user's permissions. In almost every case you'll be accessing the database using Django's querysets/models, so the resulting SQL will be properly escaped by the underlying database driver. If you do need to write raw queries or custom SQL then you'll need to explicitly think about preventing SQL injection.","Clickjacking protection","In this attack a malicious user hijacks clicks meant for a visible top level site and routes them to a hidden page beneath. This technique might be used, for example, to display a legitimate bank site but capture the login credentials in an invisible ","