'Sandboxed' Template engine/context

Michael Thomas

unread,

Jul 10, 2020, 9:22:36 AM7/10/20

to Django users

Hi all,

Does anyone know of a straightforward way to create an independent template engine instance with a subset of the tags/filters/etc. defined?

The use-case is for allowing user-supplied template content, while preventing said users from being able to use features that could be dangerous, leak information, etc.. (Eg. {% extends %}, {% load %}, {{my-secret-variable-that-is-loaded-into-global-context}})

Kind Regards,

Michael

Integr@te System

unread,

Jul 10, 2020, 10:41:30 AM7/10/20

to django...@googlegroups.com

Hi Michael,

Some templates as mako, jinja, genshi...

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/e8456f7f-e52f-4bf4-95c6-419d84600687o%40googlegroups.com.

Michael Thomas

unread,

Jul 11, 2020, 5:25:08 AM7/11/20

to Django users

Hi,

I'm aware that other template engines could be used, but it would be much more preferable to stick with Django's template engine for a variety of reasons (eg. using the same tags in the 'sandboxed' environment vs. regular).

On Friday, 10 July 2020 14:41:30 UTC+4, Integr@te System wrote:

Hi Michael,

Some templates as mako, jinja, genshi...

On Fri, Jul 10, 2020, 4:23 PM Michael Thomas <michael....@gmail.com> wrote:

Hi all,

Does anyone know of a straightforward way to create an independent template engine instance with a subset of the tags/filters/etc. defined?

The use-case is for allowing user-supplied template content, while preventing said users from being able to use features that could be dangerous, leak information, etc.. (Eg. {% extends %}, {% load %}, {{my-secret-variable-that-is-loaded-into-global-context}})

Kind Regards,
Michael

--
You received this message because you are subscribed to the Google Groups "Django users" group.

To unsubscribe from this group and stop receiving emails from it, send an email to django...@googlegroups.com.

Integr@te System

unread,

Jul 11, 2020, 7:20:06 AM7/11/20

to django...@googlegroups.com

Hi Michael,

Plz look at https://pypi.org/project/django-template-engines/

And see in Django doc for your use case

as very detail with builtin jinja2 engine and must config backend enviroment to use

https://docs.djangoproject.com/en/3.0/topics/templates/#django.template.backends.jinja2.Jinja2

Hope these useful.

To unsubscribe from this group and stop receiving emails from it, send an email to django-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/e50f24b3-1e6e-4260-b720-5af5912ae511o%40googlegroups.com.

Mitesh Shah

unread,

Aug 13, 2020, 12:42:21 PM8/13/20

to Django users

Hi Michael, I'm looking for a similar option to allow users to upload their own templates for theming purposes.

Did you find any solution to this?

Thanks,

Mitesh

Reply all

Reply to author

Forward