Задать вопрос

Тел: +7 965 3737 888





Safe template decorator

<p>A decorator that restricts the tags and filters available to template loading and parsing within a function.</p>
<p>This is mainly meant to be used when granting users the power of the DTL.  You obviously don't want users to be able to do things that could be potentially malicious.</p>
<p>The {% ssi %} tag, for example, could be used to display sensitive data if improperly configured.</p>
<p>{% load %} gives them access to all the unlimited python code you wrote in your templatetags. {% load sudo %}{% sudo rm -rf / %} o_0</p>
<p>Note that the "load" tag (among others) is not listed in the default tag whitelist.  If you parse a template (however indirectly) in a function decorated with this, unlisted builtin tags will behave like undefined tags (ie, they will result in a TemplateSyntaxError).</p>
<p>Since {% load %} is not whitelisted, you may want to include some custom tags or filters as "builtins" for convenience.  Simply put the module paths to the libraries to include in the extra kwarg or the extra_libraries list.  Generally, this is not recommended, as these libraries need to be carefully and defensively programmed.</p>
<p><strong>NOTE</strong>: This <strong>does not</strong> do anything about cleaning your rendering context!  That's completely up to you!  This merely restricts what tags and filters are allowed in the templates.</p>
from django.template.loader import get_template
safe_get_template = use_safe_templates(get_template)
tmpl = safe_get_template('myapp/some_template.html')

from django.template import Template
use_safe_templates(Template)('{% load sudo %}')
# TemplateSyntaxError: Invalid block tag 'load'

Вопрос полезен? Да0/Нет0