Be careful,
Don't forget that users will be able to execute random templatetags,
which may be able to do read/write to the database as well.
On 16 oct, 18:06, "Henrik Genssen" <henrik.gens...@miadi.net> wrote:
> Hi,
>
> can I safely use the template engine to produce user configured output?
> If I use the template engine like it is done in the RSSFeed:
>
> title_tmp = Template('{% load i18n %}' + userInput)
> ctx = Context({'dstart': date.dstart, ....
>
> where userInput is something a user can fill in.
> So far, the only point seems to be:
> protect functions of objects one uses in the context, so nobody can delete
> items or do something else...
>
> Am I overlooking something?
>
> regards
>
> Henrik
--
You received this message because you are subscribed to the Google Groups
"Django users" group.
To post to this group, send email to django-us...@googlegroups.com.
To unsubscribe from this group, send email to
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/django-users?hl=en.
