Is it safe to create user-created Django templates?

Question

Is it safe to create user-created Django templates?

Is it possible to allow users to create their own Django templates with a set of predefined variables and then display this template on the server? I would pass a very limited set of parameters render, all of which are strings. The templates will look something like this:

hey, my name is {{name}}.

So the question is, are there django template tags that can be abused to get information that users should not receive? The tag bothers me the most {% url %}.

PS

I noticed this question after filling out the header, however my question is slightly different. I probably won't use HTML / javascript at all, use Textile / Markdown, or find a way to limit HTML to a very simple set of tags.

+5

security django django-templates

noio Feb 23 '10 at 15:29

source share

3 answers

, (, ), , , Javascript, XSS.

+3

Alex Gaynor 23 . '10 15:54

include and ssi look too dangerous for my taste, especially ssithat uses absolute paths. My opinion is that this is too risky business.

+3

Łukasz Feb 23 '10 at 19:54

source share

Alexander Lebedev · Accepted Answer · 2010-02-24T02:04:36+0000

There are three main risks:

, . , {{ request.user.kill }} kill() . , kill.alters_data = True . , , , , .
, . RequestContext ( ), . , , , .
, , . , , : {{ current_user.corporate_account.owner.ssn }} ... , , - .

, , , , . , {% debug %}, {% include %}. {% ssi %}, . , .

Is it safe to create user-created Django templates?

PS

More articles: