我在Django中有一个问题:我通过jQuery post函数提交表单,但我似乎无法找到一种方法来清理输入。
这是HTML:
<form id="create-comment" name="new_comment_form" action="/topic/new-comment/save/" method="POST" novalidate="novalidate" class="fv-form fv-form-bootstrap"><button type="submit" class="fv-hidden-submit" style="display: none; width: 0px; height: 0px;"></button><input type="hidden" name="csrfmiddlewaretoken" value="5jGzvHg4hdD1nnW1L8MzKNtTt2Kdro6L">
<div class="form-group has-feedback">
<label for="comment_content">Comment</label>
<textarea class="form-control" id="comment_content" rows="3" name="comment_content" placeholder="Enter content" data-fv-field="comment_content"></textarea><i class="form-control-feedback" data-fv-icon-for="comment_content" style="display: none;"></i>
<input name="topic_target" type="hidden" value="2">
<small class="help-block" data-fv-validator="notEmpty" data-fv-for="comment_content" data-fv-result="NOT_VALIDATED" style="display: none;">Comment content is required</small><small class="help-block" data-fv-validator="stringLength" data-fv-for="comment_content" data-fv-result="NOT_VALIDATED" style="display: none;">Please write at least 10 characters</small></div>
<div class="form-group">
<button id="create-comment-btn" type="submit" class="btn btn-success">Post Comment</button>
</div>
</form>
这是观点:
def save_comment(request):
if not request.is_ajax():
raise Http404
result = {}
topic_id = request.POST['topic_target']
topic_related = Topic.objects.get(pk=topic_id)
user = CustomUser.objects.get(user=request.user)
comment = request.POST['comment_content']
try:
new_comment = Comments(topic=topic_related, comment_content= comment, date_created=timezone.now(), author=user)
new_comment.save()
"""
Generates and returns HTML markup for the new posted comment
"""
formatted_markup = get_comment_markup(new_comment)
result = {'result' : 'ok', 'markup' : formatted_markup }
except ObjectDoesNotExist:
result={'result' : 'Something went wrong, this is embarrassing...please try again'}
finally:
json_result = json.dumps(result)
return HttpResponse(json_result, content_type='application/json')
这是jQuery:
$('#create-comment').formValidation({
framework: 'bootstrap',
icon: {
valid: 'glyphicon glyphicon-ok',
invalid: 'glyphicon glyphicon-remove',
validating: 'glyphicon glyphicon-refresh'
},
fields: {
comment_content: {
validators: {
notEmpty: {
message: 'Comment content is required'
},
stringLength: {
min: 10,
max: 200,
message: 'Please write at least 10 characters'
}
}
}
}
})
.on('success.form.fv', function(e){
e.preventDefault();
var $form =$(e.target),
fv =$(e.target).data('formValidation');
$.post($form.attr('action'), $form.serialize())
.done(function(data){
$('#pagination-low').before(data['markup']);
fv.resetField('comment_content', true);
return false;
})
.fail(function(xhr, status, error){
alert(error);
});
});表单字段通过formValidation正确验证并保存,但该值未被转义/清理,因此如果我编写脚本,它将在注释呈现时运行。
有关如何逃避它的任何想法?我已经在模板的那一部分上使用了{%autoescape on%}。
答案 0 :(得分:0)
您应该在视图中使用Django表单,这样您就可以编写一个清除HTML的clean_comment_content方法。