Home

How safe is using if statements in html with django?

How safe is using if statements in html templates with django? Eg.

{% if post.visibility == 'PUBLIC' %} show something.... {% endif %}

How easy is it to change that from public to private if we don’t filter it accordingly in the backend for hackers or other people?

Asked on July 16, 2020 in HTML.
Add Comment
Cancel
2 Answer(s)

It is perfectly safe. It is not ‘in html’ at all.

That code is being evaluated on the backend using the Jinja2 template engine. A frontend user can’t edit your if statement at all because by the time the message reaches them Jinja2 has already deleted it and replaced it with the computed version.

See: https://en.wiktionary.org/wiki/render#Verb

Cancel
Answered on July 16, 2020.
Add Comment
Cancel

Django template processing happens on server side. A visitor of the page will only see the final result, but not the if statements. It is thus not possible for him to access different content by changing the if statement (unless there is some other way to attack the server itself or inject different values into the if statement that are generated from user input).

Cancel
Answered on July 16, 2020.
Add Comment
Cancel

Your Answer

By posting your answer, you agree to the privacy policy and terms of service.