后台增加log以及site，xss攻击漏洞

DjangoBlog/admin_site.py

@@ -13,7 +13,11 @@
 @time: 2018/1/7 上午2:21
 """
 from django.contrib.admin import AdminSite
-from django.contrib import admin
+from django.contrib.sites.models import Site
+from django.contrib.sites.admin import SiteAdmin
+from django.contrib.admin.models import LogEntry
+
+from DjangoBlog.logentryadmin import LogEntryAdmin
 from blog.admin import *
 from accounts.admin import *
 from oauth.admin import *
@@ -63,3 +67,7 @@ admin_site.register(OAuthUser, OAuthUserAdmin)
 admin_site.register(OAuthConfig, OAuthConfigAdmin)
 
 admin_site.register(OwnTrackLog, OwnTrackLogsAdmin)
+
+admin_site.register(Site, SiteAdmin)
+
+admin_site.register(LogEntry, LogEntryAdmin)

DjangoBlog/logentryadmin.py

@@ -0,0 +1,149 @@
+#!/usr/bin/env python
+# encoding: utf-8
+
+
+"""
+@version: ??
+@author: liangliangyy
+@license: MIT Licence 
+@contact: liangliangyy@gmail.com
+@site: https://www.lylinux.net/
+@software: PyCharm
+@file: logentryadmin.py
+@time: 2018/5/24 下午10:37
+"""
+from django.contrib.contenttypes.models import ContentType
+from django.urls import reverse, NoReverseMatch
+from django.contrib.admin.models import LogEntry, ADDITION, CHANGE, DELETION
+from django.contrib.auth import get_user_model
+from django.contrib.contenttypes.models import ContentType
+from django.utils.encoding import force_text
+from django.utils.html import escape
+from django.utils.translation import pgettext_lazy, ugettext_lazy as _
+from django.utils.safestring import mark_safe
+from django.contrib import admin
+
+action_names = {
+    ADDITION: pgettext_lazy('logentry_admin:action_type', 'Addition'),
+    DELETION: pgettext_lazy('logentry_admin:action_type', 'Deletion'),
+    CHANGE: pgettext_lazy('logentry_admin:action_type', 'Change'),
+}
+
+
+class LogEntryAdmin(admin.ModelAdmin):
+    date_hierarchy = 'action_time'
+
+    readonly_fields = ([f.name for f in LogEntry._meta.fields] +
+                       ['object_link', 'action_description', 'user_link',
+                        'get_change_message'])
+
+    fieldsets = (
+        (_('Metadata'), {
+            'fields': (
+                'action_time',
+                'user_link',
+                'action_description',
+                'object_link',
+            )
+        }),
+        (_('Details'), {
+            'fields': (
+                'get_change_message',
+                'content_type',
+                'object_id',
+                'object_repr',
+            )
+        }),
+    )
+
+    list_filter = [
+        'content_type'
+    ]
+
+    search_fields = [
+        'object_repr',
+        'change_message'
+    ]
+
+    list_display_links = [
+        'action_time',
+        'get_change_message',
+    ]
+    list_display = [
+        'action_time',
+        'user_link',
+        'content_type',
+        'object_link',
+        'action_description',
+        'get_change_message',
+    ]
+
+    def has_add_permission(self, request):
+        return False
+
+    def has_change_permission(self, request, obj=None):
+        return (
+                       request.user.is_superuser or
+                       request.user.has_perm('admin.change_logentry')
+               ) and request.method != 'POST'
+
+    def has_delete_permission(self, request, obj=None):
+        return False
+
+    def object_link(self, obj):
+        object_link = escape(obj.object_repr)
+        content_type = obj.content_type
+
+        if obj.action_flag != DELETION and content_type is not None:
+            # try returning an actual link instead of object repr string
+            try:
+                url = reverse(
+                    'admin:{}_{}_change'.format(content_type.app_label,
+                                                content_type.model),
+                    args=[obj.object_id]
+                )
+                object_link = '<a href="{}">{}</a>'.format(url, object_link)
+            except NoReverseMatch:
+                pass
+        return mark_safe(object_link)
+
+    object_link.admin_order_field = 'object_repr'
+    object_link.short_description = _('object')
+
+    def user_link(self, obj):
+        content_type = ContentType.objects.get_for_model(type(obj.user))
+        user_link = escape(force_text(obj.user))
+        try:
+            # try returning an actual link instead of object repr string
+            url = reverse(
+                'admin:{}_{}_change'.format(content_type.app_label,
+                                            content_type.model),
+                args=[obj.user.pk]
+            )
+            user_link = '<a href="{}">{}</a>'.format(url, user_link)
+        except NoReverseMatch:
+            pass
+        return mark_safe(user_link)
+
+    user_link.admin_order_field = 'user'
+    user_link.short_description = _('user')
+
+    def get_queryset(self, request):
+        queryset = super(LogEntryAdmin, self).get_queryset(request)
+        return queryset.prefetch_related('content_type')
+
+    def get_actions(self, request):
+        actions = super(LogEntryAdmin, self).get_actions(request)
+        if 'delete_selected' in actions:
+            del actions['delete_selected']
+        return actions
+
+    def action_description(self, obj):
+        return action_names[obj.action_flag]
+
+    action_description.short_description = _('action')
+
+    def get_change_message(self, obj):
+        return obj.get_change_message()
+
+    get_change_message.short_description = _('change message')

templates/blog/tags/article_info.html

@@ -38,7 +38,7 @@
 
     <div class="entry-content" itemprop="articleBody">
         {% if  isindex %}
-            {{ article.body|custom_markdown|truncatechars_content }}
+            {{ article.body|escape|custom_markdown|truncatechars_content }}
             <p class='read-more'><a
                     href=' {{ article.get_absolute_url }}'>Read more</a></p>
         {% else %}

templates/comments/tags/comment_item.html

@@ -24,7 +24,7 @@
             {{ comment_item.created_time }}
         </div>
 
-        <p>{{ comment_item.body |custom_markdown }}</p>
+        <p>{{ comment_item.body |escape|custom_markdown }}</p>
 
         <div class="reply"><a rel="nofollow" class="comment-reply-link"
                               href="javascript:void(0)"