i have done similar to allow my users the ability to use template tags in publications we put out. I thought long and hard about the repercussions of this and what I decided on in the end is that all of my users are (should be at least) considered trusted (we all work in the same office) and the only way it could end up biting me in the butt is if a users login gets compromised, which in that case I have other issues to worry about anyway ;)
On Mon, Oct 18, 2010 at 10:11 AM, ringemup <ringe...@gmail.com> wrote: > In addition to what Jonathan said, keep in mind that letting your > users enter raw HTML opens your site up to XSS attacks, since > userInput could contain javascript, and it won't be escaped if you > just turn it directly into a template. > > You could render userInput into the template as a context variable, > and then load the result of that as a template, but that would of > course preclude your users from using *any* HTML. > > On Oct 16, 12:06 pm, "Henrik Genssen" <henrik.gens...@miadi.net> > wrote: > > Hi, > > > > can I safely use the template engine to produce user configured output? > > If I use the template engine like it is done in the RSSFeed: > > > > title_tmp = Template('{% load i18n %}' + userInput) > > ctx = Context({'dstart': date.dstart, .... > > > > where userInput is something a user can fill in. > > So far, the only point seems to be: > > protect functions of objects one uses in the context, so nobody can > delete items or do something else... > > > > Am I overlooking something? > > > > regards > > > > Henrik > > -- > You received this message because you are subscribed to the Google Groups > "Django users" group. > To post to this group, send email to django-us...@googlegroups.com. > To unsubscribe from this group, send email to > django-users+unsubscr...@googlegroups.com<django-users%2bunsubscr...@googlegroups.com> > . > For more options, visit this group at > http://groups.google.com/group/django-users?hl=en. > > -- Brendan Smith, IT Coordinator National Priorities Project http://www.nationalpriorities.org http://www.costofwar.com http://www.facebook.com/nationalpriorities 413 584 9556 -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-us...@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.