Tuesday, June 29, 2010

Disabling the use of certain template tags

Hey guys,

I'm planning on writing a django app that will serve as a tool for
writing mail-merge type form letters. Well, not actually letters, but
documents which will have variable substitution in them, to either
rendered either as HTML or LaTeX documents or some other markup language.

Of course, I would love to be able to take advantage of the Django
template system. I imagine users being able to create their own
templates which are then rendered with contexts to produce the output
documents.

That part is pretty easy -- I've done something similar before, and
there's also the django-dbtemplates app which appears to do something
similar.

But I want to ensure that my users can't access anything in the template
*loader*, to prevent them including system templates or other
potentially sensitive things into their own templates.

To that end, is there a way I can load and render templates, but disable
any occurrences of the '{% include %} or {% extends %} tags or things of
that nature?

Cheers,

Tom

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to django-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/django-users?hl=en.

No comments:

Post a Comment