Is it safe to keep Django template strings inside a TextField of a Django model and allow users with staff privileges to edit them?
I’m asking because I’m unsure how safe/dangerous this could be. Would it be possible to abuse a built-in templatetag to execute arbitrary code on the server?
What are possible attack scenarios? XSS for sure, but that’s always possible to whom you allow to publish HTML on their servers.
#django #python #xss #security