Wednesday, June 30, 2010

Re: Disabling the use of certain template tags

I'm not sure whether you could define tags with these names yourself
that do nothing (or a safe version of what Django allows). I suspect
Django might not allow this and give a name clash.

Alternatively you could parse any such tags out of the user defined
templates before passing them to the template engine:

import re
NAUGHTY_RE = re.compile(r'\{%[ ]*(include|extends)[^%]*%\}')

sanitized_template = NAUGHTY_RE.sub("REMOVED", template_string)

As long as the templates don't get too large re should be a fairly
quick bet.

I haven't tested my regex with that many situations so you might want
to improve it, but it seems to work OK.

Euan

On 30 June, 04:07, Tom Eastman <tom.east...@otago.ac.nz> wrote:
> Hey guys,
>
> I'm planning on writing a django app that will serve as a tool for
> writing mail-merge type form letters.  Well, not actually letters, but
> documents which will have variable substitution in them, to either
> rendered either as HTML or LaTeX documents or some other markup language.
>
> Of course, I would love to be able to take advantage of the Django
> template system.  I imagine users being able to create their own
> templates which are then rendered with contexts to produce the output
> documents.
>
> That part is pretty easy -- I've done something similar before, and
> there's also the django-dbtemplates app which appears to do something
> similar.
>
> But I want to ensure that my users can't access anything in the template
> *loader*, to prevent them including system templates or other
> potentially sensitive things into their own templates.
>
> To that end, is there a way I can load and render templates, but disable
> any occurrences of the '{% include %} or {% extends %} tags or things of
> that nature?
>
> Cheers,
>
>         Tom

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to django-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/django-users?hl=en.

No comments:

Post a Comment