from django.utils.translation import ugettext_lazy as _
from django.core.validators import RegexValidator
from django.core.exceptions import ValidationError
+from django.template import Template, Parser, Lexer, TOKEN_BLOCK, TOKEN_VAR, TemplateSyntaxError
from django.utils import simplejson as json
import re
+from philo.utils import LOADED_TEMPLATE_ATTR
-LOADED_TEMPLATE_ATTR = '_philo_loaded_template'
INSECURE_TAGS = (
'load',
'extends',
'include',
+ 'debug',
)
def json_validator(value):
try:
json.loads(value)
- except:
- raise ValidationError(u'\'%s\' is not valid JSON' % value)
-
-
-from django.template import Template, Parser, Lexer, TOKEN_BLOCK
+ except Exception, e:
+ raise ValidationError(u'JSON decode error: %s' % e)
class TemplateValidationParser(Parser):
if secure:
disallow |= set(INSECURE_TAGS)
- self.allow, self.disallow = allow, disallow
+ self.allow, self.disallow, self.secure = allow, disallow, secure
def parse(self, parse_until=None):
if parse_until is None:
return nodelist
def disallowed_tag(self, command):
- raise ValidationError("Tag not allowed: %s" % command)
+ if self.secure and command in INSECURE_TAGS:
+ raise ValidationError('Tag "%s" is not permitted for security reasons.' % command)
+ raise ValidationError('Tag "%s" is not permitted here.' % command)
class TemplateValidator(object):