yes. the sandbox prevents the code in templates from accessing the file
system. What I am saying is that it is not the only problem you can have
with templates and developer should check the code no matter what. A
template could include, for example, code that allows the designer to steal
credentials from other users.
Checking templates is easy. Just print all the strings in between {{...}}
and see if they do something funny like opening files. Takes a second to
check.
web2py templates work within the specs and are very fast. If you have any
problem with them, please let us know and we can help with the syntax.
Anyway, this is a mater of taste. You may find this code useful:
https://gist.github.com/mdipierro/9459290
It converts a jinja2 template to a web2py template. There may be exceptions.
Massimo
On Monday, 23 March 2015 19:10:24 UTC-5, Robin Manoli wrote:
>
> Doesn't it sandbox designers from accessing the files from the web2py file
> system? The subset is a feature in this case, even if it's not a complete
> security fix. (I would appreciate some example of those javascript issues).
>
> I've also had trouble with nesting blocks (from different files) in web2py
> templates, as well as including views based on variable names. Even if it's
> fixable, those things are smoother with jinja.
>
> The main reason I'm using jinja is still the sandboxing. If web2py would
> allow me to choose what python functions of the app that is available for
> designers, I'd probably stick to web2py templates. On the hand there are
> some nice features of jinja that are not written in web2py, even if they
> can be.
>
> Also, I'm still wondering about the bytecode issue? Does bytecoding
> require to use web2py-style templates? Or have trouble with external
> modules? Or can you still bytecode the app for speed, but without
> bytecoding the templates? Does it matter if the controller renders a view,
> or does bytecode have any value if a controller returns a string?
>
> Thanks for your help,
> - Robin
>
> Den måndag 23 mars 2015 kl. 18:54:54 UTC+1 skrev Massimo Di Pierro:
>>
>> You can use jinja2 with web2py. I do not endorse it but you can, like you
>> can use any template engine. Just replace
>>
>> def index():
>> return dict(a=1,b=2)
>>
>> with
>>
>> from jinja2 import Environment, PackageLoader
>>
>> def index():
>> env = Environment(loader=PackageLoader('yourapplication',
>> 'templates'))
>> j2 = env.get_template('mytemplate.html')
>> return j2.render(a=1,b=2)
>>
>> mind that jinja2 is not smart enough to figure out web2py helpers and
>> forms so if you have
>>
>> form = SQLFORM(...) # or other helper
>> return dict(form = form)
>>
>> you will have to do
>>
>> form = SQLFORM(...) # or other helper
>> return j2.render(form = form.xml())
>>
>> Anyway. I do not buy the argument that this sandboxes developers. Lots of
>> damage can be done with JS code alone and this does not sandbox that.
>> Moreover you are crippling your developers for a false sense of security.
>> You simply need a policy about what can do in templates and a review
>> process to make policy was followed.
>>
>> The jinja2 template can be thought of a subset of the web2py template
>> set. There is nothing that jinja2 can do that web2py templates cannot do
>> already. The opposite is not true.
>>
>> Massimo
>>
>> On Saturday, 9 June 2012 01:35:04 UTC-5, kirpit wrote:
>>>
>>> Actually not, if you don't want your designers to run pure python and
>>> sandbox their templates.
>>>
>>> On Saturday, June 9, 2012 2:02:51 PM UTC+10, pbreit wrote:
>>>>
>>>> Using Jinja2 in Web2py seems like a very bad idea unless 1) you have
>>>> lots of content already in Jinja2 or 2) you are doing it purely as an
>>>> exercise.
>>>>
>>>>
>>>> On Friday, June 8, 2012 8:18:59 PM UTC-7, Massimo Di Pierro wrote:
>>>>>
>>>>> :-)
>>>>>
>>>>> On Friday, 8 June 2012 13:04:43 UTC-5, kirpit wrote:
>>>>>>
>>>>>> Since this discussion comes as the first result of "web2py jinja2"
>>>>>> searches, there you go a simple integration:
>>>>>>
>>>>>> https://github.com/kirpit/web2jinja
>>>>>>
>>>>>> Cheers,
>>>>>> kirpit
>>>>>>
>>>>>>
>>>>>> On Wednesday, January 27, 2010 1:24:53 PM UTC+11, Alexandre wrote:
>>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> I want to replace web2py's template engine with Jinja 2
>>>>>>> <http://jinja.pocoo.org/2/>, anyone has some experience doing
>>>>>>> something similar? I'm trying to assign response._caller with a custom
>>>>>>> function, but I'm not having much success, is that the right way?
>>>>>>>
>>>>>>> Thanks,
>>>>>>> Alexandre Rosenfeld
>>>>>>>
>>>>>>> Eng Comp 06 - USP São Carlos
>>>>>>> FoG - http://fog.icmc.usp.br
>>>>>>> IM Team - AIESEC
>>>>>>>
>>>>>>
>>>>>> On Wednesday, January 27, 2010 1:24:53 PM UTC+11, Alexandre wrote:
>>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> I want to replace web2py's template engine with Jinja 2
>>>>>>> <http://jinja.pocoo.org/2/>, anyone has some experience doing
>>>>>>> something similar? I'm trying to assign response._caller with a custom
>>>>>>> function, but I'm not having much success, is that the right way?
>>>>>>>
>>>>>>> Thanks,
>>>>>>> Alexandre Rosenfeld
>>>>>>>
>>>>>>> Eng Comp 06 - USP São Carlos
>>>>>>> FoG - http://fog.icmc.usp.br
>>>>>>> IM Team - AIESEC
>>>>>>>
>>>>>>
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
