In addition to what Jonathan said, keep in mind that letting your
users enter raw HTML opens your site up to XSS attacks, since
userInput could contain javascript, and it won't be escaped if you
just turn it directly into a template.
You could render userInput into the template as a context variable,
and then load the result of that as a template, but that would of
course preclude your users from using *any* HTML.
On Oct 16, 12:06 pm, "Henrik Genssen" <henrik.gens...@miadi.net>
wrote:
> Hi,
>
> can I safely use the template engine to produce user configured output?
> If I use the template engine like it is done in the RSSFeed:
>
> title_tmp = Template('{% load i18n %}' + userInput)
> ctx = Context({'dstart': date.dstart, ....
>
> where userInput is something a user can fill in.
> So far, the only point seems to be:
> protect functions of objects one uses in the context, so nobody can delete
> items or do something else...
>
> Am I overlooking something?
>
> regards
>
> Henrik
--
You received this message because you are subscribed to the Google Groups
"Django users" group.
To post to this group, send email to django-us...@googlegroups.com.
To unsubscribe from this group, send email to
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/django-users?hl=en.
