On 10/6/07, James Bennett <[EMAIL PROTECTED]> wrote: > > By the way, it would be nice to have a small (sub)chapter in the docs > > that mentions all the things someone has to care of when exposing the > > Django templates to arbitrary users. > > Personally, I wouldn't ever open up the template language to arbitrary > users. It's asking for trouble.
I've considered it, and I've only found one way that seemed suitably safe to me: writing a custom template parser. I was looking to allow users to submit theme templates, and have their designs take effect when they're logged in.Since doing so would only need the "extends" and "block" tags, I wrote a custom parser that only included those tags, so if they used anything else, it would raise an error before allowing them to be saved. It's really not a terribly complicated approach, but it does require that you limit what you intend to allow. If it's more of "everything but these few special cases", it'd probably be murder to get it working securely. -Gul --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---