Is it safe to keep Django template strings inside a TextField of a Django model and allow users with staff privileges to edit them?
I'm asking because I'm unsure how safe/dangerous this could be. Would it be possible to abuse a built-in templatetag to execute arbitrary code on the server? What are possible attack scenarios? XSS for sure, but that's always possible to whom you allow to publish HTML on their servers. -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/13526179-50f4-45d1-953d-c272f1fb32bc%40googlegroups.com.
