I missed the reply , so apologies for reviving this thread after more than a week.
On Jan 27, 1:28 am, Bill Freeman <ke1g...@gmail.com> wrote: > I think that depends upon the context the view provides, and upon what > tag libraries can be loaded. I think can work with that > Objects in the context can have their methods called (with some > restrictions). If your view pre-converts all interesting data to > strings and numbers, and/or sequences or dictionaries of such, then > the available methods are limited so you can review them for safety. Model instances and querysets? I cannot think of any dangerous methods that can be called without arguments, but I am far from sure. If its not designed for it its probably not safe to do it. I suppose I could wrap something around these to restrict the methods available. > You could also automate checking of any tag libraries loaded against a > list of those you have deemed safe. The only tag libraries available should be ones I think are safe. > Of course, there could be additional vulnerabilities that aren't coming to > mind. That is what I am most worried about :( The specific problem of nested loops also does not seem to have a solution. > > Bill > > On 1/26/12, graeme <graeme.piete...@gmail.com> wrote: > > > > > > > > > Are Django templates safe enough to use templates provided by > > untrusted users? Is it possible to limit functionality? I am not only > > concerned with what the templates can access, but also things like > > being able to consume excessive resources with, for example, deeply > > nested loops. > > > If not Django templates then what? I ideally need simple conditionals > > and some way of looping.Mustacheis close to what I need (it will > > probably do if I cannot find better) but AFAIK cannot iterate over a > > tree. I also just found > > StringTemplate (from stringtemplate.org, not the standard library!), > > Anyone tried either of these? > > > -- > > You received this message because you are subscribed to the Google Groups > > "Django users" group. > > To post to this group, send email to django-users@googlegroups.com. > > To unsubscribe from this group, send email to > > django-users+unsubscr...@googlegroups.com. > > For more options, visit this group at > >http://groups.google.com/group/django-users?hl=en. -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
