I want end users to be able to edit their view 开发者_运维知识库templates online, so it has to be safe or 'jailed' such that only the objects I explicitly push to the view page are made accessible.
i.e. I don't want the end user to be able to write python code, or figure out my connection string information etc. etc.
Is django's templating markup for views safe for this type of usage?
Django templates are safe for this kind of code as far as I know.
The only kind of logic beyond simple loops/branches that can be executed in the template is whatever is registered as a template tag or filter. TT or Filters can only be registered through the backend code.
Here you can see a list of template tags and filters: http://docs.djangoproject.com/en/dev/ref/templates/builtins/?from=olddocs most of the just work on strings or dates etc.
Cheers
EDIT: You definitely want to make sure that the settings object isn't available in the template context.
Django templates are safe for the most part but this is based on what you exposed to the template context.
The biggest issue is exposing objects to the template since all the methods get passed along. This is especially true for QuerySets which are the most common object passed to the template and the most vulnerable.
If you pass articles from the view to the template
articles = Articles.objects.all()
I could do the following
{% for article in articles %}
{{ article.delete }}
{% endfor %}
![Interactive visualization of a graph in python [closed]](https://www.devze.com/res/2023/04-10/09/92d32fe8c0d22fb96bd6f6e8b7d1f457.gif)
加载中,请稍侯......
精彩评论