Can Django templates be used to execute arbitrary code on the server?

Is it safe to keep Django template strings inside a TextField of a Django model and allow users with staff privileges to edit them?

I’m asking because I’m unsure how safe/dangerous this could be. Would it be possible to abuse a built-in templatetag to execute arbitrary code on the server?

What are possible attack scenarios? XSS for sure, but that’s always possible to whom you allow to publish HTML on their servers.

#django #python #xss #security