I think that depends upon the context the view provides, and upon what tag libraries can be loaded.
Objects in the context can have their methods called (with some restrictions). If your view pre-converts all interesting data to strings and numbers, and/or sequences or dictionaries of such, then the available methods are limited so you can review them for safety. You could also automate checking of any tag libraries loaded against a list of those you have deemed safe. Of course, there could be additional vulnerabilities that aren't coming to mind. Bill On 1/26/12, graeme <graeme.piete...@gmail.com> wrote: > Are Django templates safe enough to use templates provided by > untrusted users? Is it possible to limit functionality? I am not only > concerned with what the templates can access, but also things like > being able to consume excessive resources with, for example, deeply > nested loops. > > If not Django templates then what? I ideally need simple conditionals > and some way of looping. Mustache is close to what I need (it will > probably do if I cannot find better) but AFAIK cannot iterate over a > tree. I also just found > StringTemplate (from stringtemplate.org, not the standard library!), > Anyone tried either of these? > > -- > You received this message because you are subscribed to the Google Groups > "Django users" group. > To post to this group, send email to django-users@googlegroups.com. > To unsubscribe from this group, send email to > django-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/django-users?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
