I am building a multi-user web application. Each user can have their own site under my application. I am considering how to allow user to modify template without security problem? I have evaluated some python template engine. For example, genshi, it is a pretty wonderful template engine, but however it might be dangerous to allow user to modify genshi template. It have a syntax like this:
我正在构建一个多用户Web应用程序。每个用户都可以在我的应用程序下拥有自己的站点我正在考虑如何允许用户修改模板而没有安全问题?我已经评估了一些python模板引擎。例如,genshi,它是一个非常精彩的模板引擎,但是允许用户修改genshi模板可能是危险的。它有这样的语法:
<?python
?>
This syntax allow you run whatever you want python can do. I notice that it seems can be shutdown by passing some parameter. But there are still a lots of potential problems. For example, user can access build-in functions, and methods of passed variables. For example, if I pass a ORM object to template. It might contain some method and variable that I don't want to allow user touch it. May like this:
这种语法允许您运行python可以执行的任何操作。我注意到它似乎可以通过传递一些参数来关闭。但仍存在许多潜在问题。例如,用户可以访问内置函数和传递变量的方法。例如,如果我将ORM对象传递给模板。它可能包含一些我不想让用户触摸它的方法和变量。可能是这样的:
site.metadata.connection.execute("drop table xxx")
So my question is how can I allow user to modify template of their site without security problems? Any python template engine can be used.
所以我的问题是如何让用户修改他们网站的模板而没有安全问题?可以使用任何python模板引擎。
Thanks.
4 个解决方案
#1
Look at Django templte engine. It does not support execution of arbitrary python code and all accessible variables must be passed into template explicity. This should be pretty good foundation for building user-customizable pages. Beware that you'll still need to handle occasional syntax errors from your users.
看看Django templte引擎。它不支持执行任意python代码,并且所有可访问的变量必须传递到模板显式。这应该是构建用户可自定义页面的良好基础。请注意,您仍然需要处理来自用户的偶然语法错误。
#2
Jinja2 is a Django-ish templating system that has a sandboxing feature. I've never attempted to use the sandboxing, but I quite like Jinja2 as an alternative to Django's templates. It still promotes separation of template from business logic, but has more Pythonic calling conventions, namespacing, etc.
Jinja2是一个具有沙盒功能的Django-ish模板系统。我从未尝试使用沙盒,但我非常喜欢Jinja2作为Django模板的替代品。它仍然促进模板与业务逻辑的分离,但有更多的Pythonic调用约定,命名空间等。
#3
In rails there's something called liquid. You might take a look at that to get some ideas. Another idea: at the very least, one thing you could do is to convert your objects into simple dictionary - something like a json representation, and then pass to your template.
在铁轨中有一种叫做液体的东西。您可以看看它以获得一些想法。另一个想法:至少,你可以做的一件事是将你的对象转换成简单的字典 - 类似于json表示,然后传递给你的模板。
#4
The short answer is probably "you can't".
简短的回答可能是“你做不到”。
The best you can probably do is to trap the individual users in virtual machines or sandboxes.
您可能做的最好的事情是将各个用户捕获到虚拟机或沙箱中。
#1
Look at Django templte engine. It does not support execution of arbitrary python code and all accessible variables must be passed into template explicity. This should be pretty good foundation for building user-customizable pages. Beware that you'll still need to handle occasional syntax errors from your users.
看看Django templte引擎。它不支持执行任意python代码,并且所有可访问的变量必须传递到模板显式。这应该是构建用户可自定义页面的良好基础。请注意,您仍然需要处理来自用户的偶然语法错误。
#2
Jinja2 is a Django-ish templating system that has a sandboxing feature. I've never attempted to use the sandboxing, but I quite like Jinja2 as an alternative to Django's templates. It still promotes separation of template from business logic, but has more Pythonic calling conventions, namespacing, etc.
Jinja2是一个具有沙盒功能的Django-ish模板系统。我从未尝试使用沙盒,但我非常喜欢Jinja2作为Django模板的替代品。它仍然促进模板与业务逻辑的分离,但有更多的Pythonic调用约定,命名空间等。
#3
In rails there's something called liquid. You might take a look at that to get some ideas. Another idea: at the very least, one thing you could do is to convert your objects into simple dictionary - something like a json representation, and then pass to your template.
在铁轨中有一种叫做液体的东西。您可以看看它以获得一些想法。另一个想法:至少,你可以做的一件事是将你的对象转换成简单的字典 - 类似于json表示,然后传递给你的模板。
#4
The short answer is probably "you can't".
简短的回答可能是“你做不到”。
The best you can probably do is to trap the individual users in virtual machines or sandboxes.
您可能做的最好的事情是将各个用户捕获到虚拟机或沙箱中。