I would like to allow users to control how data is displayed, but I don't want to compromise security - is there a good way to do this?
I've considered creating a class which would store a display template in a string, and then modifying the standard template class use this string as the 'template' property. It would be fairly easy to strip out any <?python ... ?> tags from the template string, but I'm concerned that basic aspects of kid templates would still present security problems - for example malicious code could be inserted into the a 'py:if' declaration. Is this a valid concern, and if so is there any way to do something similar in a way which would allow read-only access to the system's data without allowing users to do anything nasty to the site? --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "TurboGears" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/turbogears?hl=en -~----------~----~----~----~------~----~------~--~---
