安全地呈现用户提供的django模板 [英] Safely rendering user provided django templates

问题描述

所以根据以前的我的问题我决定启动一个允许django设计者上传模板和CSS文件的网站。我将提供一组定义良好的上下文输入和对象，然后渲染用户提供的模板。这将有希望给新手一大堆例子，从设计师的角度来看，这是一个很好的方式。

So as per a previous question of mine I've decided to start a website which allows django designers to upload templates and css files. I'll provide a well defined set of context inputs and objects and then render the templates that the users provided. This will hopefully give newbies a large set of examples to work from and designers a good way to stretch their wings.

我需要一种方法来确定模板是否安全 渲染。希望确保没有恶意的JavaScript，疯狂的路径请求，将破坏我的网络服务器等。现在我知道，没有保证的方式来清理这些，但我想要的东西比只是信任我的用户。

I need a way to determine whether a template is "safe" to render. Hopefully making sure there are no malicious javascript, crazy path requests that will destroy my webserver, etc. Now I know that there's no guaranteed way to sanitize these but I'd like something better than just "trust my users".

任何建议都将被欢迎。

推荐答案

我知道这不完全是你希望，但最安全的选择是允许最终用户保存他们的模板的副本，渲染html&所有标签都已转义为css。您可以允许他们上传完成主题的图片。

I know this is not exactly what you are hoping for, but the safest option is to allow the end users to save a copy of their template, render the html & css with all tags escaped. You can allow them to upload a picture of what the finished theme would look like.

您的第二个选项是允许他们上传任何内容，但不会在网站上显示，直到你已经审核了他们提交了什么。

Your second option is to allow them to upload anything but not display it on the website until you have audited what they have submitted.

这篇关于安全地呈现用户提供的django模板的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！