tags:

views:

66

answers:

2
Q: 

Untrusted templates in Python - what is a safe library to use?

I am building a library that will be used in several Python applications. It get multilingual e-mail templates from an RMDBS, and then variable replacement will be performed on the template in Python before the e-mail is sent.

In addition to variable replacement, I need the template library to support if, elif, and for statements in the templates.

I use Mako for most my projects, and also looked at Tempita as it doesn't provide a lot of features I don't need.

The concern I have is untrusted code execution - can someone point me at a template solution for Python that either does not support code execution, or will allow me to disable it?

+2  A: 

Have you checked out Jinja2? It's pretty much what you're talking about, and it's a great mix of powerful while keeping things simple and not giving the designer too much power. :)

If you've used Django's template system, it's very similar (if not based off of?) Jinja.

Bartek  2009-11-11 17:48:31
Jinja's syntax is actually based on that of Django's templates, not the other way around.
Will McCutchen  2009-11-11 21:20:42
Good to know, thanks Will!
Bartek  2009-11-11 23:51:23
+4  A: 

From the Django book:

For that reason, it’s impossible to call Python code directly within Django templates. All “programming” is fundamentally limited to the scope of what template tags can do. It is possible to write custom template tags that do arbitrary things, but the out-of-the-box Django template tags intentionally do not allow for arbitrary Python code execution.

Give Django templates a try. It's a little tricky to set up outside of a Django app -- something to do with DJANGO_SETTINGS_MODULE, search around -- but may be trusted.

a paid nerd  2009-11-11 17:49:00
Thanks, that does meet my requirement for disabling code execution. However, I am trying to keep this lib simple and I fear introducing some libraries designed for Django would run counter to that.
Tony  2009-11-11 18:03:43

related questions

Programmatically talking to a Serial Port in OS X or Linux
Best ways to teach a beginner to program?
Calling a Function From a String With the Function's Name in Python
An executable Python app
Text Editor For Linux (Besides Vi)?
What Hosting Service is best for Django applications?
File size differences after copying a file to a server vía FTP
Python: what is the difference between (1,2,3) and [1,2,3], and when should I use each?
Python: What OS am I running on?
How do I make a menu in python that does not require the user to press (enter) to make a selection?
How do you express binary literals in Python?
What is the most efficient graph data structure in Python?
Adding a Method to an Existing Object
How to learn Python: Good Example Code?
How do I use Python's itertools.groupby()?
Python and MySQL
Class views in Django
Is there an IDE that provides code completion for Python
Using 'in' to match an attribute of Python objects in an array
cx_Oracle - what is the best way to iterate over a result set?
cx_Oracle - How do I access Oracle from Python?
Continuous Integration System for a Python Codebase
Get a preview jpeg of a pdf on windows?
How can I find the full path to a font from its display name on a Mac?
XML Processing in Python