On Wed, 2006-07-05 at 12:32 +0000, plungerman wrote:
> greetings,
>
> i would like to store django template code in a database and retrieve
> it for display. before i go any further, does anyone foresee any
> security risks with this approach? there will be control over those
> users who can manipulate the data but not so much that we could monitor
> what everyone would be doing at any given moment. that said, i have
> not seen anything in the template code that could present a system
> security danger if used maliciously.
It is entirely dependent on the safety of the template tags you are
using. The standard Django tags do not permit you to change data via a
template tag (see the discussion of "alters_data" in the
templates_python.txt document). But your own custom tags (or other
custom tags that are available via "load") may not be so diligently
marked.
> my approach was to create a template tag to retrieve the data from the
> database and then display it in a template when called. unfortunately,
> when i use the templatetag in a template, the django template code is
> not parsed or rendered. you see the templated code itself. for
> example, {% block content %}{% endblock %}
>
> so question two would be, how can you tell the template rendering
> mechanism in django to parse the data as if it were any other template
> code? below find the code for the templatetag if that will help
> diagnose the problem.
Unless I am missing something, you don't seem to have included the code
that actually creates the template. At some point you are going to get a
string of text out of the database and have to call
t = django.template.Template(template_string)
with the data (template_string, here). This will give you back a
template object and you can render that using the current context by
calling
t.render(context)
That last line will probably be in the render() method of whatever your
template tag is.
Also, just in passing, are you deliberately not having DoGetData inherit
from template.Node or was that a typo? I'm not sure if it's necessary
here, but I can't completely understand what your code is trying to do
(probably more my fault then yours -- I'm getting sleepy).
Does any of the above help you at all?
Regards,
Malcolm
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django users" group.
To post to this group, send email to django-users@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/django-users
-~----------~----~----~----~------~----~------~--~---
