In this case, I think I'll be fine, as the templates that would match
any of these patterns just contain public, static content, nothing
dynamic. However, I will definitely keep the code snippet for future
use!
Thank you to all who have replied, I really appreciate your help and
guidance as I get up to speed.
Brandon
On Apr 18, 3:35 pm, "Marty Alchin" <[EMAIL PROTECTED]> wrote:
> Just a quick word of warning: You're now essentially passing
> unfiltered user input directly into the template loader. Depending on
> what content you have in your templates, this may imply a security
> risk. For instance, if you have a template that hard-codes any secure
> information, such as system account information or settings or
> whatever, and someone happens to guess the name of that template, the
> URL pattern you're using would allow them to pull up that template
> directly, even if you have authentication protecting the view that
> normally accesses it.
>
> Keep in mind, though, that this would only pull up the private
> template, not the private view. So it would load the template with a
> different context, and would probably not render very well. All the
> same, any content that's hard-coded directly in the template, rather
> than being pulled from the context, is fair game for an attacker to
> access.
>
> Consider something like this instead:
>
> #in urls.py
> def easy_template(name):
> return (r'^%s/$' % name, direct_to_template, {'template': '%s.html' %
> name})
>
> urlpatterns = patterns('',
> (r'^$', direct_to_template, {'template':'home.html'}),
> easy_template('compliance-bsa'),
> easy_template('compliance-audits'),
> easy_template('bsa-audits'),
> easy_template('compliance-officer'),
> )
>
> That way, you get to work some DRY magic, while still being able to
> explicitly declare exactly which templates are accessible through this
> scheme. That's untested, by the way, but it should work.
>
> -Gul
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django users" group.
To post to this group, send email to django-users@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/django-users?hl=en
-~----------~----~----~----~------~----~------~--~---
