On 10/6/07, Andreas Ahlenstorf <[EMAIL PROTECTED]> wrote: > Do you think about specific context processors or tags provided by > default with Django?
Built-in tags I'm not so worried about, though there are some dangerous context processors (the 'request' and 'debug' processors, for example). But third-party tag libraries are a wide-open field; template tags get full access to the Python API and can do *anything*, which means you need to carefully review every single tag for potentially malicious effects. My personal favorite example is a tag I wrote a while back (and which a number of people are using) that fetches the "latest" content from any particular model. It's useful for things like "latest five blog entries" or "latest ten news stories", but because it uses a generic API it can also be turned into "latest five session keys" by a malicious user... > By the way, it would be nice to have a small (sub)chapter in the docs > that mentions all the things someone has to care of when exposing the > Django templates to arbitrary users. Personally, I wouldn't ever open up the template language to arbitrary users. It's asking for trouble. -- "Bureaucrat Conrad, you are technically correct -- the best kind of correct." --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---
