Is opening a templating engine to users a bad idea?
https://softwareengineering.stackexchange.com/questions/302269
-
08-12-2020 - |
Question
My site allows users to create custom HTML templates for their profiles (very much like Tumblr and the theme system), and I picked the Twig template engine for the site.
However, I'm not sure if it's a good idea to give users the control of being able to access a template engine.
Is this a bad thing? How should I restrict access, or should I just totally rethink the strategy?
Solution
From the Twig homepage:
Secure: Twig has a sandbox mode to evaluate untrusted template code. This allows Twig to be used as a template language for applications where users may modify the template design.
and farther down:
Sandboxing: Twig can evaluate any template in a sandbox environment where the user has access to a limited set of tags, filters, and object methods defined by the developer. Sandboxing can be enabled globally or locally for just some templates:
{{ include('page.html', sandboxed = true) }}
So, all you have to do is sandbox the user templates and you should be fine