Login

NonceField for disabling autocompletion

Author:
johnnoone
Posted:
February 22, 2009
Language:
Python
Version:
1.0
Score:
2 (after 2 ratings)

For disabling autocomplete and security purpose, this snippet defines a CharField with a randomness name for each request of the form.

This is useful for turning off autocomplete for credit card input in all browsers, without breaking the xhtml validation.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
from random import choice

from django.forms import MultiWidget, TextInput, HiddenInput, MultiValueField, CharField
from django.utils.safestring import mark_safe

class NonceInput(MultiWidget):
    def __init__(self, attrs=None):
        allowed_chars = "abcdefghjkmnpqrstuvwxyzABCDEFGHJKLMNPQRSTUVWXYZ23456789"
        self.nonce = ''.join([choice(allowed_chars) for i in range(20)])
        
        try:
            del attrs['autocomplete']
        except:
            pass
        
        widgets = (TextInput(attrs=attrs), HiddenInput(attrs=attrs))
        super(NonceInput, self).__init__(widgets, attrs)
    
    def value_from_datadict(self, data, files, name):
        # hidden field
        nonce_name = self.widgets[1].value_from_datadict(data, files, name + '_1')
        value_field = self.widgets[0].value_from_datadict(data, files, nonce_name)
        
        return [value_field, nonce_name]
    
    def render(self, name, value, attrs=None):
        # value is a list of values, each corresponding to a widget
        # in self.widgets.
        output = []
        final_attrs = self.build_attrs(attrs)
        id_ = final_attrs.get('id', None)
        nonce_name = name + '_%s' % self.nonce
        
        if id_:
            final_attrs = dict(final_attrs, id='%s_0' % id_)
        output.append(self.widgets[0].render(nonce_name, value, final_attrs))
        
        if id_:
            final_attrs = dict(final_attrs, id='%s_1' % id_)
        output.append(self.widgets[1].render(name + '_1', nonce_name, final_attrs))
        
        return mark_safe(self.format_output(output))
    
    def decompress(self, value):
        return [value, self.nonce]
    

class NonceField(MultiValueField):
    """Defines a CharField with a randomness name for disabling autocomplete and 
    security purpose.
    
    https://wiki.mozilla.org/The_autocomplete_attribute_and_web_documents_using_XHTML#Security
    http://en.wikipedia.org/wiki/Cryptographic_nonce
    
    """
    
    widget = NonceInput
    
    def __init__(self, *args, **kwargs):
        fields = (
            CharField(),
            CharField()
        )
        super(NonceField, self).__init__(fields, *args, **kwargs)
    
    def compress(self, data_list):
        try:
            return data_list[0]
        except:
            None
    

More like this

  1. Template tag - list punctuation for a list of items by shapiromatron 8 months ago
  2. JSONRequestMiddleware adds a .json() method to your HttpRequests by cdcarter 8 months, 1 week ago
  3. Serializer factory with Django Rest Framework by julio 1 year, 3 months ago
  4. Image compression before saving the new model / work with JPG, PNG by Schleidens 1 year, 3 months ago
  5. Help text hyperlinks by sa2812 1 year, 4 months ago

Comments

Please login first before commenting.