On 10/13/06, Ned Batchelder <[EMAIL PROTECTED]> wrote: > Only a security hole in the sense that a template author could put the DB > password onto the page (for example) if they were stupid or malicious, > right?
As I see it, the problem is twofold: 1. It's hard to say definitively which settings are "safe". For example, my personal blog has a setting which stores my del.icio.us password. 2. The definition of "template author" can get fuzzy, especially in collaborative, web-2.0-buzzword applications. So it's not a matter of trusting the person who writes your primary template set, it's a matter of trusting everyone who might *ever* touch a template. For the record, I'm a somewhat non-forceful +1 on a context processor for MEDIA_URL, etc., but I can see this going either way. -- "May the forces of evil become confused on the way to your house." -- George Carlin --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers -~----------~----~----~----~------~----~------~--~---
