4164[Cheetahtemplate-discuss] Security (when you're letting just anybody make templates)
- Nov 3, 2007Hey guys, I'm new to mailing lists, and, well, I hope this is the right place to ask a question about Cheetah. Couldn't find an IRC channel (other than freenode's #ctah, which had 1 user online), and I really do want to talk to somebody about Cheetah.
I like cheetah, I think it looks really nice, for what I want to do. I've been a member of a few community-creation type sites (two of which have since shut down), where something similar to a templating engine is used to make pages. These templating engines were all in-house, and not very nice. And then I saw Cheetah and other more public templating engines, and I thought to myself how much fun it would be to make a system like that. Not for profit, just for fun, and to let other people play around (because, of course, I'm not just going to throw it away :P).
So what happens in a system like that, is that I give a set of templates, each of which gets data depending on which page its on, I suppose, and the end-user can modify them and so on. Problem being that I'm giving random people access to the templating engine, which could be bad. I know that, at the least, there's <%= ... %> and <% ... %> that I would have to get rid of, but I'd like to know if there's anything else? Or, in the worst case, if Cheetah is simply not the right thing to use for this, that I'd also need to hear (and a recommendation to another templating system for it, if any others match the needs, would be wonderful).
Thanks for your time.
- Next post in topic >>