Is it safe to keep Django template strings inside a TextField of a Django model and allow users with staff privileges to edit them?
I'm asking because I'm unsure how safe/dangerous this could be. Would it be possible to abuse a built-in templatetag to execute arbitrary code on the server? What are possible attack scenarios? XSS for sure, but that's always possible to whom you allow to publish HTML on their servers. -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/13526179-50f4-45d1-953d-c272f1fb32bc%40googlegroups.com.
