Django的视图模板标记对诸如rails液体模板的最终用户安全吗? [英] Is Django's templating markup for views safe for end user editing like rails liquid templating?

问题描述

我希望最终用户能够在线编辑其视图模板，因此它必须安全或牢牢地"，以便只有我明确推送到视图页面的对象才可以访问.

I want end users to be able to edit their view templates online, so it has to be safe or 'jailed' such that only the objects I explicitly push to the view page are made accessible.

即我不希望最终用户能够编写python代码，或者弄清楚我的连接字符串信息等.

i.e. I don't want the end user to be able to write python code, or figure out my connection string information etc. etc.

django的视图模板标记对于这种用法是否安全?

Is django's templating markup for views safe for this type of usage?

推荐答案

Django模板对于此类代码是安全的.

Django templates are safe for this kind of code as far as I know.

除了简单的循环/分支之外，可以在模板中执行的唯一逻辑是注册为模板标记或过滤器的任何逻辑.TT或过滤器只能通过后端代码进行注册.

The only kind of logic beyond simple loops/branches that can be executed in the template is whatever is registered as a template tag or filter. TT or Filters can only be registered through the backend code.

在这里您可以看到模板标签和过滤器的列表: http://docs.djangoproject.com/zh-CN/dev/ref/templates/builtins/?from=olddocs 大多数只适用于字符串或日期等.

Here you can see a list of template tags and filters: http://docs.djangoproject.com/en/dev/ref/templates/builtins/?from=olddocs most of the just work on strings or dates etc.

欢呼

您肯定要确保设置对象在模板上下文中不可用.

You definitely want to make sure that the settings object isn't available in the template context.

这篇关于Django的视图模板标记对诸如rails液体模板的最终用户安全吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！