Am 06.10.2007 um 19:49 schrieb James Bennett:
> Personally, I wouldn't ever open up the template language to arbitrary
> users. It's asking for trouble.
I have some doubts too, altough there are not so many alternatives.
The other template engines for python I've seen support more
dangerous
On Sat, 2007-10-06 at 11:24 +0200, Andreas Ahlenstorf wrote:
>
> Am 06.10.2007 um 00:24 schrieb Malcolm Tredinnick:
>
> > (or wrap it in a class that provides only an
> > iterator over the queryset's iterator and no access to the wrapped
> > object).
>
> Could you share a small code sample on
On 10/6/07, James Bennett <[EMAIL PROTECTED]> wrote:
> > By the way, it would be nice to have a small (sub)chapter in the docs
> > that mentions all the things someone has to care of when exposing the
> > Django templates to arbitrary users.
>
> Personally, I wouldn't ever open up the template lan
On 10/6/07, Andreas Ahlenstorf <[EMAIL PROTECTED]> wrote:
> Do you think about specific context processors or tags provided by
> default with Django?
Built-in tags I'm not so worried about, though there are some
dangerous context processors (the 'request' and 'debug' processors,
for example). But
Am 06.10.2007 um 02:06 schrieb James Bennett:
> Although the problem of opening up the Django template language to
> arbitrary users runs much deeper; a site administrator needs to be
> *very* careful not only about what's passed in the context, but also
> about context processors and available
Am 06.10.2007 um 00:17 schrieb Jonathan Buchanan:
> http://www.djangoproject.com/documentation/templates_python/
> #rendering-a-context
My question is about built-ins, not about custom methods in the models.
Regards,
A.
--~--~-~--~~~---~--~~
You received this
Am 06.10.2007 um 00:24 schrieb Malcolm Tredinnick:
> (or wrap it in a class that provides only an
> iterator over the queryset's iterator and no access to the wrapped
> object).
Could you share a small code sample on how to do this efficiently?
Regards,
A.
--~--~-~--~~---
On 10/5/07, Malcolm Tredinnick <[EMAIL PROTECTED]> wrote:
> The user can only call methods on the objects you pass to the template
> via the context. So if you want to restrict what they can do, only pass
> in objects that have the methods you want to permit. This is exactly why
> this method of f
On Sat, 2007-10-06 at 00:08 +0200, Andreas Ahlenstorf wrote:
> Hi,
>
> At the moment, it's to possible to retrieve more data in the
> templates using method calls like all() [1]. While this may be fine
> in controlled environments, it may pose a risk at services where you
> have to deal wit
Andreas Ahlenstorf wrote:
> Hi,
>
> At the moment, it's to possible to retrieve more data in the
> templates using method calls like all() [1]. While this may be fine
> in controlled environments, it may pose a risk at services where you
> have to deal with user supplied templates (think of
Hi,
At the moment, it's to possible to retrieve more data in the
templates using method calls like all() [1]. While this may be fine
in controlled environments, it may pose a risk at services where you
have to deal with user supplied templates (think of a service like
Typepad). An user mi
11 matches
Mail list logo
