Untrusted Document Templates ============================ Untrusted document templates implement an untrusted interpreter for the DTML language. Untrusted templates protect any data they're given. >>> from zope.documenttemplate.untrusted import UntrustedHTML Consider a sample class, which allows access to attributes f1, f2, and name: >>> from zope.security.checker import NamesChecker >>> class C(object): ... def __init__(self, name, **kw): ... self.name = name ... self.__dict__.update(kw) ... def f1(self): ... return 'f1 called' ... def f2(self): ... return 'f2 called' ... __Security_checker__ = NamesChecker(['f1', 'f2', 'name']) We can get at alowed data just fine: >>> UntrustedHTML(' ')(C('bob')) 'f1 called bob' But we'll get an error if we try to access an attribute we're not alowed to get: >>> UntrustedHTML('')(C('bob', x=1)) Traceback (most recent call last): ... KeyError: 'x' If we create data inside the template, we'll be allowed to manipulate it: >>> UntrustedHTML(''' ... ... ... ... ''')() '\n [1]\n' but any attributes we get from data we create are proxied, and this protected: >>> UntrustedHTML(''' ... ... ... ... ... ''')() Traceback (most recent call last): ... KeyError: '__dict__' >>> UntrustedHTML(''' ... ... ... ... ''')() Traceback (most recent call last): ... ForbiddenAttribute: ('__dict__', ) >>> UntrustedHTML('''''')() Traceback (most recent call last): ... ForbiddenAttribute: ('__dict__', ) Access is provided to a number of utility functions provided by the template dict, but not to hidden functions: >>> UntrustedHTML('''''')() '1' But not to privare attributes: >>> UntrustedHTML('''''')() Traceback (most recent call last): ... ForbiddenAttribute: ('_pop', )