Comments on: Python Template Engine Comparison http://lucumr.pocoo.org/cogitations/2008/01/01/python-template-engine-comparison/ Armin Ronacher thinking Sun, 12 Oct 2008 06:39:06 +0000 http://wordpress.org/?v=2.2 By: Tony Landis http://lucumr.pocoo.org/cogitations/2008/01/01/python-template-engine-comparison/#comment-3304 Tony Landis Fri, 04 Apr 2008 22:00:55 +0000 http://lucumr.pocoo.org/cogitations/2008/01/01/python-template-engine-comparison/#comment-3304 Thank you, I found this information helpful Thank you, I found this information helpful

]]> By: Mario Ruggier http://lucumr.pocoo.org/cogitations/2008/01/01/python-template-engine-comparison/#comment-2789 Mario Ruggier Thu, 13 Mar 2008 17:19:12 +0000 http://lucumr.pocoo.org/cogitations/2008/01/01/python-template-engine-comparison/#comment-2789 Thanks. The changes necessary to make it a WZ + Evoque WSGI application are really trivial. I have documented them at: http://evoque.gizmojo.org/ext/werkzeug/ Thanks. The changes necessary to make it a WZ + Evoque WSGI application are really trivial. I have documented them at: http://evoque.gizmojo.org/ext/werkzeug/

]]> By: Armin Ronacher http://lucumr.pocoo.org/cogitations/2008/01/01/python-template-engine-comparison/#comment-2711 Armin Ronacher Mon, 10 Mar 2008 00:44:32 +0000 http://lucumr.pocoo.org/cogitations/2008/01/01/python-template-engine-comparison/#comment-2711 The code for the simple WZ + Mako WSGI app is available directly on the frontpage of the current werkzeug webpage: http://werkzeug.pocoo.org/ (Click on the nutshell) The code for the simple WZ + Mako WSGI app is available directly on the frontpage of the current werkzeug webpage: http://werkzeug.pocoo.org/

(Click on the nutshell)

]]> By: Mario Ruggier http://lucumr.pocoo.org/cogitations/2008/01/01/python-template-engine-comparison/#comment-2682 Mario Ruggier Sat, 08 Mar 2008 09:26:46 +0000 http://lucumr.pocoo.org/cogitations/2008/01/01/python-template-engine-comparison/#comment-2682 "I think as long as you can limit the syntax to expressions there are ways to restrict Python enough to allow the execution of untrusted code." This is exactly what I do in Evoque (http://evoque.gizmojo.org) ... only expressions, by design. And the evaluation context may only be "extended" from the application side, not (explictly) from within a template. (There are of course implicit context modifications from within templates, for example for setting of loop variables.) "I wrote a tiny WSGI application (about 50 lines of code) that just uses werkzeug’s routing system and uses template names as endpoints. These templates are then loaded with Mako, rendered and returned as responses." Sounds like an interesting expreiment. I'd be interested to see inside, and maybe to inflict the same task on Evoque to see emerges... is this available somewhere? “I think as long as you can limit the syntax to expressions there are ways to restrict Python enough to allow the execution of untrusted code.” This is exactly what I do in Evoque (http://evoque.gizmojo.org) … only expressions, by design. And the evaluation context may only be “extended” from the application side, not (explictly) from within a template. (There are of course implicit context modifications from within templates, for example for setting of loop variables.)

“I wrote a tiny WSGI application (about 50 lines of code) that just uses werkzeug’s routing system and uses template names as endpoints. These templates are then loaded with Mako, rendered and returned as responses.” Sounds like an interesting expreiment. I’d be interested to see inside, and maybe to inflict the same task on Evoque to see emerges… is this available somewhere?

]]> By: Eric Larson http://lucumr.pocoo.org/cogitations/2008/01/01/python-template-engine-comparison/#comment-1372 Eric Larson Wed, 02 Jan 2008 21:31:59 +0000 http://lucumr.pocoo.org/cogitations/2008/01/01/python-template-engine-comparison/#comment-1372 Great overview of these excellent templating libraries. If you (or anyone else) is interested in an XSLT based WSGI middleware templating solution, there is XSLTemplates (http://code.google.com/p/xsltemplates). I am the author, but really it is just a simple way to use XSLT with 4Suite/Amara within WSGI web applications. I tried to use Kid and just couldn't grab onto the mix between XSLT and other templating languages, so I looked into BuffetXSLT, which was lacking the more obvious templating pieces like passing in parameters and data structures (node-set in XSLT). This lead me to XSLTemplates. I'm aiming at making it easy to do things like adding your own helper functions and sending parameters and node-sets to templates. If any one does try it out, feel free to send along comments or suggestions. Great overview of these excellent templating libraries.

If you (or anyone else) is interested in an XSLT based WSGI middleware templating solution, there is XSLTemplates (http://code.google.com/p/xsltemplates). I am the author, but really it is just a simple way to use XSLT with 4Suite/Amara within WSGI web applications.

I tried to use Kid and just couldn’t grab onto the mix between XSLT and other templating languages, so I looked into BuffetXSLT, which was lacking the more obvious templating pieces like passing in parameters and data structures (node-set in XSLT). This lead me to XSLTemplates.

I’m aiming at making it easy to do things like adding your own helper functions and sending parameters and node-sets to templates. If any one does try it out, feel free to send along comments or suggestions.

]]> By: Armin Ronacher http://lucumr.pocoo.org/cogitations/2008/01/01/python-template-engine-comparison/#comment-1365 Armin Ronacher Wed, 02 Jan 2008 09:05:51 +0000 http://lucumr.pocoo.org/cogitations/2008/01/01/python-template-engine-comparison/#comment-1365 Before the big parser rewrite Jinja wandered through the AST and intercepted all dangerous operations. This basically works the same with the new parser too, but some things such as "item assignment unpacking during iteration" is not allowed in the new syntax and so there is no check for that any more. So basically what Jinja does currently is disallowing all access to attributes like "__subclasses__", disallowing attribute modifications on objects passed to the context, recursive includes, infinite loops etc. I think as long as you can limit the syntax to expressions there are ways to restrict Python enough to allow the execution of untrusted code. Before the big parser rewrite Jinja wandered through the AST and intercepted all dangerous operations. This basically works the same with the new parser too, but some things such as “item assignment unpacking during iteration” is not allowed in the new syntax and so there is no check for that any more.

So basically what Jinja does currently is disallowing all access to attributes like “__subclasses__”, disallowing attribute modifications on objects passed to the context, recursive includes, infinite loops etc.

I think as long as you can limit the syntax to expressions there are ways to restrict Python enough to allow the execution of untrusted code.

]]> By: Graham Dumpleton http://lucumr.pocoo.org/cogitations/2008/01/01/python-template-engine-comparison/#comment-1360 Graham Dumpleton Wed, 02 Jan 2008 02:02:42 +0000 http://lucumr.pocoo.org/cogitations/2008/01/01/python-template-engine-comparison/#comment-1360 You must have been reading my mind as it was only a few days ago that I was trying to get hold of you on IRC to discuss your opinions on different templating solutions. You weren't around at the time though. One question I still have though about Jinja is, in practice what it's sandboxing really means, given that in Python it is pretty well impossible to create a restricted execution environment that you can't break out of in some way. So, what are the benefits of otherwise of sandboxing in Jinja? You must have been reading my mind as it was only a few days ago that I was trying to get hold of you on IRC to discuss your opinions on different templating solutions. You weren’t around at the time though.

One question I still have though about Jinja is, in practice what it’s sandboxing really means, given that in Python it is pretty well impossible to create a restricted execution environment that you can’t break out of in some way.

So, what are the benefits of otherwise of sandboxing in Jinja?

]]> By: Braydon Fuller http://lucumr.pocoo.org/cogitations/2008/01/01/python-template-engine-comparison/#comment-1359 Braydon Fuller Tue, 01 Jan 2008 23:35:12 +0000 http://lucumr.pocoo.org/cogitations/2008/01/01/python-template-engine-comparison/#comment-1359 "I hope this post sums up why I’m using all three template engines and why I think we should be happy that we can chose between a couple of template engines :-)" Word! :) I am using Cheetah on a current project, and haven't run into any problems yet. I'll have to try out Mako and see how it compares, and what will work best for my different projects. I had a similar reaction to Django's templates at first, but haven't used them yet to get to know it better. “I hope this post sums up why I’m using all three template engines and why I think we should be happy that we can chose between a couple of template engines :-)”

Word! :)

I am using Cheetah on a current project, and haven’t run into any problems yet. I’ll have to try out Mako and see how it compares, and what will work best for my different projects. I had a similar reaction to Django’s templates at first, but haven’t used them yet to get to know it better.

]]>