Securely providing custom django templates

Question

Securely providing custom django templates

As in the previous question, I decided to create a website that allows django designers to upload templates and css files. I will provide a well-defined set of context inputs and objects, and then draw the templates provided by users. This, I hope, will give beginners a wide range of examples for work, and designers are a good way to stretch their wings.

I need a way to determine if a template is "safe" for rendering. Hope there is no malicious javascript, crazy requests in the way that will destroy my web server, etc. Now I know that there is no reliable way to disinfect them, but I would like something better than just "trust my users."

Any suggestions are welcome.

+2

django django-templates

Judowill Jan 01 '09 at 2:36

source share

1 answer

wlashell · Accepted Answer · 2010-01-01T02:40:30+0000

I know that this is not exactly what you hope for, but the safest option is to allow end users to save a copy of their template, display html and css with all screens. You can let them upload an image of what the finished theme will look like.

The second option is to let them upload something, but not display it on the website until you check what they sent.

Securely providing custom django templates

More articles: