So as per a previous question of mine I've decided to start a website which allows django designers to upload templates and css files. I'll provide a well defined set of context inputs and objects and then render the templates that the users provided. This will hopefully give newbies a large set of examples to work from and designers a good way to stretch their wings.
我需要一种方法来确定模板是否安全 渲染。希望确保没有恶意的JavaScript,疯狂的路径请求,将破坏我的网络服务器等。现在我知道,没有保证的方式来清理这些,但我想要的东西比只是信任我的用户。
I need a way to determine whether a template is "safe" to render. Hopefully making sure there are no malicious javascript, crazy path requests that will destroy my webserver, etc. Now I know that there's no guaranteed way to sanitize these but I'd like something better than just "trust my users".
I know this is not exactly what you are hoping for, but the safest option is to allow the end users to save a copy of their template, render the html & css with all tags escaped. You can allow them to upload a picture of what the finished theme would look like.
Your second option is to allow them to upload anything but not display it on the website until you have audited what they have submitted.