tag libraries can be loaded.
Objects in the context can have their methods called (with some
restrictions). If your view pre-converts all interesting data to
strings and numbers, and/or sequences or dictionaries of such, then
the available methods are limited so you can review them for safety.
You could also automate checking of any tag libraries loaded against a
list of those you have deemed safe.
Of course, there could be additional vulnerabilities that aren't coming to mind.
Bill
On 1/26/12, graeme <graeme.pietersz@gmail.com> wrote:
> Are Django templates safe enough to use templates provided by
> untrusted users? Is it possible to limit functionality? I am not only
> concerned with what the templates can access, but also things like
> being able to consume excessive resources with, for example, deeply
> nested loops.
>
> If not Django templates then what? I ideally need simple conditionals
> and some way of looping. Mustache is close to what I need (it will
> probably do if I cannot find better) but AFAIK cannot iterate over a
> tree. I also just found
> StringTemplate (from stringtemplate.org, not the standard library!),
> Anyone tried either of these?
>
> --
> You received this message because you are subscribed to the Google Groups
> "Django users" group.
> To post to this group, send email to django-users@googlegroups.com.
> To unsubscribe from this group, send email to
> django-users+unsubscribe@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/django-users?hl=en.
>
>
--
You received this message because you are subscribed to the Google Groups "Django users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to django-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
No comments:
Post a Comment