On Jan 26, 6:56 pm, FeatherDark <msensei...@gmail.com> wrote:
> Greetings huge django developer list,
> I just wanted to mention, this method totally works for me, I call it
> "Skinning"
>
> In the templates folder I have a file called "base.html'
> Inside that file is only 1 line:
> {% extends request.META.HTTP_HOST|cut:':'|add:'.html'%}
request.META.HTTP_HOST is coming from Client. "Trust but verify", you
are not verifying this. It could pose a security risk. One could send
a request with malicious Host header and make the site retrieve
different template. This is not a serious issue, since you probably
don't have templates that would wreak havoc.
Why don't you create own template context processor that would add the
verified HTTP_HOST to template context? Then you could do just
{% extend MY_VERIFIED_HTTP_HOST %}
See:
http://docs.djangoproject.com/en/dev/ref/request-response/#django.http.HttpRequest.META
http://docs.djangoproject.com/en/dev/ref/templates/api/#writing-your-own-context-processors
--
You received this message because you are subscribed to the Google Groups
"Django developers" group.
To post to this group, send email to django-developers@googlegroups.com.
To unsubscribe from this group, send email to
django-developers+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/django-developers?hl=en.
