Is there a Python template library similar to Smarty or Radius (Ruby's Movable Type-like template library) out there?
The python wiki entry on this topic is here: http://wiki.python.org/moin/Templating
The two well-known template systems other than Django are cheetah and jinja.
Django's templating system is not especially powerful, by design, because that discourages any logic other than pure presentation logic in the templates. This is something that I value, having used JSP and ASP.
Jinja is pretty much a superset of Django's templates, except that if you wanted you could embed all of your view code in it ( I wouldn't ).
Cheetah looks rather more like JSP.
Any of these can be used with Django (the full stack framework), or you could use one of the microframeworks or "bundled" frameworks. See this wiki page: http://wiki.python.org/moin/WebFrameworks
AFAIK, Django. It has an excellent templating system.
It's slightly different from PHP, because of the following:
Variables and methods must be passed in to the template renderer.
Variables and methods are noted by {{ braces }}.
Tags (Django's version of PHP flow control statements), are denoted like {% if x %}, followed by a loop termination (like {% endif %}.
You can call functions directly from the template, but they will not accept any arguments.
There's a lot more, but I would highly recommend that you read the Django book.
Just one note: from personal experience, Django's ORM isn't very good for legacy database integration, so if you're looking for that, you might want to try SQLalchemy.
EDIT: Marcin had a good summary - Django's templating system, by design, encourages the separation of presentation and processing logic (i.e., loose coupling).
EDIT 2: There's also mako, which has a more PHP-like syntax.
Related
I have an idea to put the templates in the database, and offer the possibility for the designer to edit the templates direct from CMS panel. But what is haunted me is the security question. How could it be any secure if we have ability to put python commands directly in the templates. If I have something like this in a mako template:
<%!
import os
os.system('rm /var/www/env/harmless.txt')
%>
it will performed successful and harmless.txt will be removed. Should I find for another template engine except Mako or could I somehow configure Mako to prevent harmful code injection? On the other hand, some python commands incredibly helpful used in templates, inline if statement for example.
If they have their own separated instance of a CMS it doesn't matter like Loic points out. But if they are in some shared environment it is best to use another template engine. The question Untrusted templates in Python - what is a safe library to use? recommends Django templates and Jinja2.
There is still a possibility to do what you want. The mako engine lets you add a preprocessor to the template. I can't say for sure as I can test at the moment, but you could have something like this:
Here: http://docs.makotemplates.org/en/latest/usage.html#mako.template.Template.params.preprocessor
def removeImports(source):
# remove whatever you don't want inside the template
return new_source
tpl = Template(...., preprocessor=removeImports)
If you're using a framework like pyramid you can make it a new renderer to do that for you on all templates.
As a security concern, if you want to got that way as Mako is a terribly good engine in my own opinion. You should do a good set of test case on your preprocessor. I'm pretty sure that imports can be achieved inside inline python <% %>. Actually imports can be achieved almost anywhere inside the template as you can use inline python almost everywhere.
So if you're conerned about running python in a template, you can consider other templates such as Chameleon, Jinja2 ...
I'm evaluating chameleon as a template renderer for Pyramid.
Some feature quite useful from Django, which also works with mako, is caching.
I couldn't find a similar feature by looking at the documentation, neither with a quick google search.
Is there a similar feature with Chameleon ? If not, how can one deal with potentially long template rendering ?
There is no built-in support for caching the rendered result of a Chameleon template.
There seems to be support for Beaker together with Pyramid. The thread below discusses that implementation.
http://groups.google.com/group/pylons-devel/browse_thread/thread/efe8fd52e6643c47/2675c7098bb32413
Im looking into XSS with various frameworks and CMS and whether they provide methods in protecting against it (not just programmaticly avoiding the situation).
I know that in Djangos templating language you can specify a variable as |safe I want to be able to allow actually safe html tags so the user can format text (simple things like etc), but strip such things as , onload attributes etc.
I would like to know whether Django recommends a method in doing this, not just using Python. I hope this makes sense
Jason
One of the core concepts of Django is that it's Python, and any Python lib should be usable with Django. They won't recreate the wheel unless there is good reason to. I believe HTML scrubbing/sanitizing is one of the things they've decided not to recreate.
BeautifulSoup is the python library you want to look into for any scrubbing/sanitizing though.
I am building a library that will be used in several Python applications. It get multilingual e-mail templates from an RMDBS, and then variable replacement will be performed on the template in Python before the e-mail is sent.
In addition to variable replacement, I need the template library to support if, elif, and for statements in the templates.
I use Mako for most my projects, and also looked at Tempita as it doesn't provide a lot of features I don't need.
The concern I have is untrusted code execution - can someone point me at a template solution for Python that either does not support code execution, or will allow me to disable it?
From the Django book:
For that reason, it’s impossible to call Python code directly within Django templates. All “programming” is fundamentally limited to the scope of what template tags can do. It is possible to write custom template tags that do arbitrary things, but the out-of-the-box Django template tags intentionally do not allow for arbitrary Python code execution.
Give Django templates a try. It's a little tricky to set up outside of a Django app -- something to do with DJANGO_SETTINGS_MODULE, search around -- but may be trusted.
Have you checked out Jinja2? It's pretty much what you're talking about, and it's a great mix of powerful while keeping things simple and not giving the designer too much power. :)
If you've used Django's template system, it's very similar (if not based off of?) Jinja.
I am building a multi-user web application. Each user can have their own site under my application. I am considering how to allow user to modify template without security problem? I have evaluated some python template engine. For example, genshi, it is a pretty wonderful template engine, but however it might be dangerous to allow user to modify genshi template. It have a syntax like this:
<?python
?>
This syntax allow you run whatever you want python can do. I notice that it seems can be shutdown by passing some parameter. But there are still a lots of potential problems. For example, user can access build-in functions, and methods of passed variables. For example, if I pass a ORM object to template. It might contain some method and variable that I don't want to allow user touch it. May like this:
site.metadata.connection.execute("drop table xxx")
So my question is how can I allow user to modify template of their site without security problems? Any python template engine can be used.
Thanks.
Jinja2 is a Django-ish templating system that has a sandboxing feature. I've never attempted to use the sandboxing, but I quite like Jinja2 as an alternative to Django's templates. It still promotes separation of template from business logic, but has more Pythonic calling conventions, namespacing, etc.
Jinja2 Sandbox
Look at Django templte engine. It does not support execution of arbitrary python code and all accessible variables must be passed into template explicity. This should be pretty good foundation for building user-customizable pages. Beware that you'll still need to handle occasional syntax errors from your users.
In rails there's something called liquid. You might take a look at that to get some ideas. Another idea: at the very least, one thing you could do is to convert your objects into simple dictionary - something like a json representation, and then pass to your template.
The short answer is probably "you can't".
The best you can probably do is to trap the individual users in virtual machines or sandboxes.