views:

66

answers:

2

I am building a library that will be used in several Python applications. It get multilingual e-mail templates from an RMDBS, and then variable replacement will be performed on the template in Python before the e-mail is sent.

In addition to variable replacement, I need the template library to support if, elif, and for statements in the templates.

I use Mako for most my projects, and also looked at Tempita as it doesn't provide a lot of features I don't need.

The concern I have is untrusted code execution - can someone point me at a template solution for Python that either does not support code execution, or will allow me to disable it?

+2  A: 

Have you checked out Jinja2? It's pretty much what you're talking about, and it's a great mix of powerful while keeping things simple and not giving the designer too much power. :)

If you've used Django's template system, it's very similar (if not based off of?) Jinja.

Bartek
Jinja's syntax is actually based on that of Django's templates, not the other way around.
Will McCutchen
Good to know, thanks Will!
Bartek
+4  A: 

From the Django book:

For that reason, it’s impossible to call Python code directly within Django templates. All “programming” is fundamentally limited to the scope of what template tags can do. It is possible to write custom template tags that do arbitrary things, but the out-of-the-box Django template tags intentionally do not allow for arbitrary Python code execution.

Give Django templates a try. It's a little tricky to set up outside of a Django app -- something to do with DJANGO_SETTINGS_MODULE, search around -- but may be trusted.

a paid nerd
Thanks, that does meet my requirement for disabling code execution. However, I am trying to keep this lib simple and I fear introducing some libraries designed for Django would run counter to that.
Tony