问题
So as per a previous question of mine I've decided to start a website which allows django designers to upload templates and css files. I'll provide a well defined set of context inputs and objects and then render the templates that the users provided. This will hopefully give newbies a large set of examples to work from and designers a good way to stretch their wings.
I need a way to determine whether a template is "safe" to render. Hopefully making sure there are no malicious javascript, crazy path requests that will destroy my webserver, etc. Now I know that there's no guaranteed way to sanitize these but I'd like something better than just "trust my users".
Any suggestions would be welcome.
回答1:
I know this is not exactly what you are hoping for, but the safest option is to allow the end users to save a copy of their template, render the html & css with all tags escaped. You can allow them to upload a picture of what the finished theme would look like.
Your second option is to allow them to upload anything but not display it on the website until you have audited what they have submitted.
来源:https://stackoverflow.com/questions/1987742/safely-rendering-user-provided-django-templates