Reputation: 4450
Django template tags security issue
I have an application which generates reports based on data of the MySQL database. Since customers want to use this report application as well and don't want to use our crappy report styles but their own styles, I want to implement a feature which lets them upload their own styles with HTML, CSS and Javascript. Since they obviously need their dynamic content in their reports they have to use Django template tags. Is there any security issue with letting customers, use every Django template tag or should I implement some kind of "markdown syntax" for specific django template tags that users are allowed to use?
Upvotes: 0
Views: 124
Answers (1)
Reputation: 43320
They don't need to use django template tags at all, you need to provide them a html template that they can override with their own css styling.
You then store their preferences in either a FileField or a large charfield that you then reference in your templates to load their styling where needed.
i.e
<link rel="stylesheet" href="{{ user.styling.stylesheet }}" type="text/css" />
<style>{{ user.styling.css }}</style>
Upvotes: 1
Related Questions
- What is the difference between null=True and blank=True in Django?
- JWT (JSON Web Token) automatic prolongation of expiration
- How to combine multiple QuerySets in Django?
- What does on_delete do on Django models?
- How do I do a not equal in Django queryset filtering?
- AngularJS with Django - Conflicting template tags
- Misaka template tags for Django - text wrapped in double quotes
- django custom tags with template blocks?