On Wednesday 24 December 2014 20:35:09 Tim Graham wrote:
> I was hoping to get clarification on what security model we intend to
> support for template authors. In ticket #12772
> <
https://code.djangoproject.com/ticket/12772> it's proposed to allow
> loading template tags using a dotted Python path. This would allow template
> authors to trigger imports of anything on the Python path. I am not sure
> the requirement to add a template tag library to INSTALLED_APPS is a big
> burden these days (e.g. there is no more need to create an empty models.py
> file), but perhaps I don't fully understand the ticket's rationale for
> proposing these changes.
In addition to what Curtis and Florian said, the ticket was made before the
default-project-layout change that made project-apps common; since Django 1.4
(or was it 1.3?) those have been a natural place for "common tags [to] be kept
together".
Reading also the ticket, I agree with Carl's argument that the libraries
available for loading should be explicitly controlled from Python code. In
fact, this point makes me wonder if it wouldn't be better (ignoring backwards
compatibility, of course) to require custom tags to be passed in through the
context ("project-global" custom tags could then be added in a context-
processor).
Shai.