Is it safe to render user-created Django templates?
There're three main risks:
Users modifying the data. For example, rendering
{{ request.user.kill }}
will triggerkill()
call during value lookup. To prevent this, you should setkill.alters_data = True
in your model code. All built-in model methods that modify data are already marked, so the risk is only associated with your own methods or ones provided by poorly-written 3rd party apps.Users directly accessing data they should not see. When
RequestContext
is used (which is most of the time), there're many variables added to template rendering context. Add user-defined templates and you're getting quite dangerous mix, because user can view anything added by any context processor.Users accessing data they should not see through relations. When you pass model instance to template, its relations could be travesred futher than you could expect:
{{ current_user.corporate_account.owner.ssn }}
Oops... A good preventive measure would be carefully reviewing your model relations to make sure you're not exposing something sensitive.
Overall, I'd say it is safe as long as you are aware of risks above and render user-supplied strings separately from regular templates. And make sure you eplicitly forbid {% debug %}, {% include %}. {% ssi %}
template tags, as they can give away quite sensitive information. Maybe you can play it safe and only allow variables and filters and forbid control tags altogether.
include and ssi looks too dangerous for my taste, especially ssi
which uses absolute paths. My opinion is that this is too risky business.
Well, from a server-side perspective it's safe (probably, no one has ever audited it), however the users could obviously generate any Javascript they wanted to perform XSS attacks.