<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Sandbox — Jinja2 2.7.2 documentation</title> <link rel="stylesheet" href="_static/jinja.css" type="text/css" /> <link rel="stylesheet" href="_static/pygments.css" type="text/css" /> <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '', VERSION: '2.7.2', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', HAS_SOURCE: true }; </script> <script type="text/javascript" src="_static/jquery.js"></script> <script type="text/javascript" src="_static/underscore.js"></script> <script type="text/javascript" src="_static/doctools.js"></script> <link rel="top" title="Jinja2 2.7.2 documentation" href="index.html" /> <link rel="next" title="Template Designer Documentation" href="templates.html" /> <link rel="prev" title="API" href="api.html" /> </head> <body> <div class="related"> <h3>Navigation</h3> <ul> <li class="right" style="margin-right: 10px"> <a href="genindex.html" title="General Index" accesskey="I">index</a></li> <li class="right" > <a href="templates.html" title="Template Designer Documentation" accesskey="N">next</a> |</li> <li class="right" > <a href="api.html" title="API" accesskey="P">previous</a> |</li> <li><a href="index.html">Jinja2 2.7.2 documentation</a> »</li> </ul> </div> <div class="document"> <div class="documentwrapper"> <div class="bodywrapper"> <div class="body"> <div class="section" id="sandbox"> <h1>Sandbox<a class="headerlink" href="#sandbox" title="Permalink to this headline">¶</a></h1> The Jinja2 sandbox can be used to evaluate untrusted code. Access to unsafe attributes and methods is prohibited. Assuming <cite>env</cite> is a <tt class="xref py py-class docutils literal">SandboxedEnvironment</tt> in the default configuration the following piece of code shows how it works: <div class="highlight-python"><div class="highlight"><pre>>>> env.from_string("{{ func.func_code }}").render(func=lambda:None) u'' >>> env.from_string("{{ func.func_code.do_something }}").render(func=lambda:None) Traceback (most recent call last): ... SecurityError: access to attribute 'func_code' of 'function' object is unsafe. </pre></div> </div> <div class="section" id="module-jinja2.sandbox"> <h2>API<a class="headerlink" href="#module-jinja2.sandbox" title="Permalink to this headline">¶</a></h2> <dl class="class"> <dt id="jinja2.sandbox.SandboxedEnvironment"> class <tt class="descclassname">jinja2.sandbox.</tt><tt class="descname">SandboxedEnvironment</tt><big>(</big>[options]<big>)</big><a class="headerlink" href="#jinja2.sandbox.SandboxedEnvironment" title="Permalink to this definition">¶</a></dt> <dd>The sandboxed environment. It works like the regular environment but tells the compiler to generate sandboxed code. Additionally subclasses of this environment may override the methods that tell the runtime what attributes or functions are safe to access. If the template tries to access insecure code a <a class="reference internal" href="#jinja2.sandbox.SecurityError" title="jinja2.sandbox.SecurityError"><tt class="xref py py-exc docutils literal">SecurityError</tt></a> is raised. However also other exceptions may occur during the rendering so the caller has to ensure that all exceptions are caught. <dl class="method"> <dt id="jinja2.sandbox.SandboxedEnvironment.is_safe_attribute"> <tt class="descname">is_safe_attribute</tt><big>(</big>obj, attr, value<big>)</big><a class="headerlink" href="#jinja2.sandbox.SandboxedEnvironment.is_safe_attribute" title="Permalink to this definition">¶</a></dt> <dd>The sandboxed environment will call this method to check if the attribute of an object is safe to access. Per default all attributes starting with an underscore are considered private as well as the special attributes of internal python objects as returned by the <a class="reference internal" href="#jinja2.sandbox.is_internal_attribute" title="jinja2.sandbox.is_internal_attribute"><tt class="xref py py-func docutils literal">is_internal_attribute()</tt></a> function. </dd></dl> <dl class="method"> <dt id="jinja2.sandbox.SandboxedEnvironment.is_safe_callable"> <tt class="descname">is_safe_callable</tt><big>(</big>obj<big>)</big><a class="headerlink" href="#jinja2.sandbox.SandboxedEnvironment.is_safe_callable" title="Permalink to this definition">¶</a></dt> <dd>Check if an object is safely callable. Per default a function is considered safe unless the <cite>unsafe_callable</cite> attribute exists and is True. Override this method to alter the behavior, but this won’t affect the <cite>unsafe</cite> decorator from this module. </dd></dl> <dl class="attribute"> <dt id="jinja2.sandbox.SandboxedEnvironment.default_binop_table"> <tt class="descname">default_binop_table</tt> = {'//': <built-in function floordiv>, '%': <built-in function mod>, '+': <built-in function add>, '*': <built-in function mul>, '-': <built-in function sub>, '/': <built-in function truediv>, '**': <built-in function pow>}<a class="headerlink" href="#jinja2.sandbox.SandboxedEnvironment.default_binop_table" title="Permalink to this definition">¶</a></dt> <dd>default callback table for the binary operators. A copy of this is available on each instance of a sandboxed environment as <tt class="xref py py-attr docutils literal">binop_table</tt> </dd></dl> <dl class="attribute"> <dt id="jinja2.sandbox.SandboxedEnvironment.default_unop_table"> <tt class="descname">default_unop_table</tt> = {'+': <built-in function pos>, '-': <built-in function neg>}<a class="headerlink" href="#jinja2.sandbox.SandboxedEnvironment.default_unop_table" title="Permalink to this definition">¶</a></dt> <dd>default callback table for the unary operators. A copy of this is available on each instance of a sandboxed environment as <tt class="xref py py-attr docutils literal">unop_table</tt> </dd></dl> <dl class="attribute"> <dt id="jinja2.sandbox.SandboxedEnvironment.intercepted_binops"> <tt class="descname">intercepted_binops</tt> = frozenset([])<a class="headerlink" href="#jinja2.sandbox.SandboxedEnvironment.intercepted_binops" title="Permalink to this definition">¶</a></dt> <dd>a set of binary operators that should be intercepted. Each operator that is added to this set (empty by default) is delegated to the <a class="reference internal" href="#jinja2.sandbox.SandboxedEnvironment.call_binop" title="jinja2.sandbox.SandboxedEnvironment.call_binop"><tt class="xref py py-meth docutils literal">call_binop()</tt></a> method that will perform the operator. The default operator callback is specified by <tt class="xref py py-attr docutils literal">binop_table</tt>. The following binary operators are interceptable: <tt class="docutils literal">//</tt>, <tt class="docutils literal">%</tt>, <tt class="docutils literal">+</tt>, <tt class="docutils literal">*</tt>, <tt class="docutils literal">-</tt>, <tt class="docutils literal">/</tt>, and <tt class="docutils literal">**</tt> The default operation form the operator table corresponds to the builtin function. Intercepted calls are always slower than the native operator call, so make sure only to intercept the ones you are interested in. New in version 2.6. </dd></dl> <dl class="attribute"> <dt id="jinja2.sandbox.SandboxedEnvironment.intercepted_unops"> <tt class="descname">intercepted_unops</tt> = frozenset([])<a class="headerlink" href="#jinja2.sandbox.SandboxedEnvironment.intercepted_unops" title="Permalink to this definition">¶</a></dt> <dd>a set of unary operators that should be intercepted. Each operator that is added to this set (empty by default) is delegated to the <a class="reference internal" href="#jinja2.sandbox.SandboxedEnvironment.call_unop" title="jinja2.sandbox.SandboxedEnvironment.call_unop"><tt class="xref py py-meth docutils literal">call_unop()</tt></a> method that will perform the operator. The default operator callback is specified by <tt class="xref py py-attr docutils literal">unop_table</tt>. The following unary operators are interceptable: <tt class="docutils literal">+</tt>, <tt class="docutils literal">-</tt> The default operation form the operator table corresponds to the builtin function. Intercepted calls are always slower than the native operator call, so make sure only to intercept the ones you are interested in. New in version 2.6. </dd></dl> <dl class="method"> <dt id="jinja2.sandbox.SandboxedEnvironment.call_binop"> <tt class="descname">call_binop</tt><big>(</big>context, operator, left, right<big>)</big><a class="headerlink" href="#jinja2.sandbox.SandboxedEnvironment.call_binop" title="Permalink to this definition">¶</a></dt> <dd>For intercepted binary operator calls (<a class="reference internal" href="#jinja2.sandbox.SandboxedEnvironment.intercepted_binops" title="jinja2.sandbox.SandboxedEnvironment.intercepted_binops"><tt class="xref py py-meth docutils literal">intercepted_binops()</tt></a>) this function is executed instead of the builtin operator. This can be used to fine tune the behavior of certain operators. New in version 2.6. </dd></dl> <dl class="method"> <dt id="jinja2.sandbox.SandboxedEnvironment.call_unop"> <tt class="descname">call_unop</tt><big>(</big>context, operator, arg<big>)</big><a class="headerlink" href="#jinja2.sandbox.SandboxedEnvironment.call_unop" title="Permalink to this definition">¶</a></dt> <dd>For intercepted unary operator calls (<a class="reference internal" href="#jinja2.sandbox.SandboxedEnvironment.intercepted_unops" title="jinja2.sandbox.SandboxedEnvironment.intercepted_unops"><tt class="xref py py-meth docutils literal">intercepted_unops()</tt></a>) this function is executed instead of the builtin operator. This can be used to fine tune the behavior of certain operators. New in version 2.6. </dd></dl> </dd></dl> <dl class="class"> <dt id="jinja2.sandbox.ImmutableSandboxedEnvironment"> class <tt class="descclassname">jinja2.sandbox.</tt><tt class="descname">ImmutableSandboxedEnvironment</tt><big>(</big>[options]<big>)</big><a class="headerlink" href="#jinja2.sandbox.ImmutableSandboxedEnvironment" title="Permalink to this definition">¶</a></dt> <dd>Works exactly like the regular <cite>SandboxedEnvironment</cite> but does not permit modifications on the builtin mutable objects <cite>list</cite>, <cite>set</cite>, and <cite>dict</cite> by using the <a class="reference internal" href="#jinja2.sandbox.modifies_known_mutable" title="jinja2.sandbox.modifies_known_mutable"><tt class="xref py py-func docutils literal">modifies_known_mutable()</tt></a> function. </dd></dl> <dl class="exception"> <dt id="jinja2.sandbox.SecurityError"> exception <tt class="descclassname">jinja2.sandbox.</tt><tt class="descname">SecurityError</tt><big>(</big>message=None<big>)</big><a class="headerlink" href="#jinja2.sandbox.SecurityError" title="Permalink to this definition">¶</a></dt> <dd>Raised if a template tries to do something insecure if the sandbox is enabled. </dd></dl> <dl class="function"> <dt id="jinja2.sandbox.unsafe"> <tt class="descclassname">jinja2.sandbox.</tt><tt class="descname">unsafe</tt><big>(</big>f<big>)</big><a class="headerlink" href="#jinja2.sandbox.unsafe" title="Permalink to this definition">¶</a></dt> <dd>Marks a function or method as unsafe. <div class="highlight-python"><div class="highlight"><pre>@unsafe def delete(self): pass </pre></div> </div> </dd></dl> <dl class="function"> <dt id="jinja2.sandbox.is_internal_attribute"> <tt class="descclassname">jinja2.sandbox.</tt><tt class="descname">is_internal_attribute</tt><big>(</big>obj, attr<big>)</big><a class="headerlink" href="#jinja2.sandbox.is_internal_attribute" title="Permalink to this definition">¶</a></dt> <dd>Test if the attribute given is an internal python attribute. For example this function returns <cite>True</cite> for the <cite>func_code</cite> attribute of python objects. This is useful if the environment method <a class="reference internal" href="#jinja2.sandbox.SandboxedEnvironment.is_safe_attribute" title="jinja2.sandbox.SandboxedEnvironment.is_safe_attribute"><tt class="xref py py-meth docutils literal">is_safe_attribute()</tt></a> is overridden. <div class="highlight-python"><div class="highlight"><pre>>>> from jinja2.sandbox import is_internal_attribute >>> is_internal_attribute(lambda: None, "func_code") True >>> is_internal_attribute((lambda x:x).func_code, 'co_code') True >>> is_internal_attribute(str, "upper") False </pre></div> </div> </dd></dl> <dl class="function"> <dt id="jinja2.sandbox.modifies_known_mutable"> <tt class="descclassname">jinja2.sandbox.</tt><tt class="descname">modifies_known_mutable</tt><big>(</big>obj, attr<big>)</big><a class="headerlink" href="#jinja2.sandbox.modifies_known_mutable" title="Permalink to this definition">¶</a></dt> <dd>This function checks if an attribute on a builtin mutable object (list, dict, set or deque) would modify it if called. It also supports the “user”-versions of the objects (<cite>sets.Set</cite>, <cite>UserDict.*</cite> etc.) and with Python 2.6 onwards the abstract base classes <cite>MutableSet</cite>, <cite>MutableMapping</cite>, and <cite>MutableSequence</cite>. <div class="highlight-python"><div class="highlight"><pre>>>> modifies_known_mutable({}, "clear") True >>> modifies_known_mutable({}, "keys") False >>> modifies_known_mutable([], "append") True >>> modifies_known_mutable([], "index") False </pre></div> </div> If called with an unsupported object (such as unicode) <cite>False</cite> is returned. <div class="highlight-python"><div class="highlight"><pre>>>> modifies_known_mutable("foo", "upper") False </pre></div> </div> </dd></dl> <div class="admonition-note admonition"> Note The Jinja2 sandbox alone is no solution for perfect security. Especially for web applications you have to keep in mind that users may create templates with arbitrary HTML in so it’s crucial to ensure that (if you are running multiple users on the same server) they can’t harm each other via JavaScript insertions and much more. Also the sandbox is only as good as the configuration. We strongly recommend only passing non-shared resources to the template and use some sort of whitelisting for attributes. Also keep in mind that templates may raise runtime or compile time errors, so make sure to catch them. </div> </div> <div class="section" id="operator-intercepting"> <h2>Operator Intercepting<a class="headerlink" href="#operator-intercepting" title="Permalink to this headline">¶</a></h2> New in version 2.6. For maximum performace Jinja2 will let operators call directly the type specific callback methods. This means that it’s not possible to have this intercepted by overriding <tt class="xref py py-meth docutils literal">Environment.call()</tt>. Furthermore a conversion from operator to special method is not always directly possible due to how operators work. For instance for divisions more than one special method exist. With Jinja 2.6 there is now support for explicit operator intercepting. This can be used to customize specific operators as necessary. In order to intercept an operator one has to override the <a class="reference internal" href="#jinja2.sandbox.SandboxedEnvironment.intercepted_binops" title="jinja2.sandbox.SandboxedEnvironment.intercepted_binops"><tt class="xref py py-attr docutils literal">SandboxedEnvironment.intercepted_binops</tt></a> attribute. Once the operator that needs to be intercepted is added to that set Jinja2 will generate bytecode that calls the <a class="reference internal" href="#jinja2.sandbox.SandboxedEnvironment.call_binop" title="jinja2.sandbox.SandboxedEnvironment.call_binop"><tt class="xref py py-meth docutils literal">SandboxedEnvironment.call_binop()</tt></a> function. For unary operators the <cite>unary</cite> attributes and methods have to be used instead. The default implementation of <a class="reference internal" href="#jinja2.sandbox.SandboxedEnvironment.call_binop" title="jinja2.sandbox.SandboxedEnvironment.call_binop"><tt class="xref py py-attr docutils literal">SandboxedEnvironment.call_binop</tt></a> will use the <tt class="xref py py-attr docutils literal">SandboxedEnvironment.binop_table</tt> to translate operator symbols into callbacks performing the default operator behavior. This example shows how the power (<tt class="docutils literal">**</tt>) operator can be disabled in Jinja2: <div class="highlight-python"><div class="highlight"><pre>from jinja2.sandbox import SandboxedEnvironment class MyEnvironment(SandboxedEnvironment): intercepted_binops = frozenset(['**']) def call_binop(self, context, operator, left, right): if operator == '**': return self.undefined('the power operator is unavailable') return SandboxedEnvironment.call_binop(self, context, operator, left, right) </pre></div> </div> Make sure to always call into the super method, even if you are not intercepting the call. Jinja2 might internally call the method to evaluate expressions. </div> </div> </div> </div> </div> <div class="sphinxsidebar"> <div class="sphinxsidebarwrapper"><a href="index.html"> <img class="logo" src="_static/jinja-small.png" alt="Logo"/> </a> <h3><a href="index.html">Table Of Contents</a></h3> <ul> <li><a class="reference internal" href="#">Sandbox</a><ul> <li><a class="reference internal" href="#module-jinja2.sandbox">API</a></li> <li><a class="reference internal" href="#operator-intercepting">Operator Intercepting</a></li> </ul> </li> </ul> <h3>Related Topics</h3> <ul> <li><a href="index.html">Documentation overview</a><ul> <li>Previous: <a href="api.html" title="previous chapter">API</a></li> <li>Next: <a href="templates.html" title="next chapter">Template Designer Documentation</a></li> </ul></li> </ul> <h3>This Page</h3> <ul class="this-page-menu"> <li><a href="_sources/sandbox.txt" rel="nofollow">Show Source</a></li> </ul> <div id="searchbox" style="display: none"> <h3>Quick search</h3> <form class="search" action="search.html" method="get"> <input type="text" name="q" /> <input type="submit" value="Go" /> <input type="hidden" name="check_keywords" value="yes" /> <input type="hidden" name="area" value="default" /> </form> Enter search terms or a module, class or function name. </div> <script type="text/javascript">$('#searchbox').show(0);</script> </div> </div> <div class="clearer"></div> </div> <div class="footer"> © Copyright 2008, Armin Ronacher. Created using <a href="http://sphinx.pocoo.org/">Sphinx</a>. </div> </body> </html>

blog

91 Club Online Casino in India Bonus Offers.800

June 24, 2025 blog 0

91 Club Online Casino in India – Bonus Offers ▶️ PLAY Содержимое Exclusive Welcome Package for New Players Regular Promotions and Tournaments for Existing Members Weekly Tournaments Other Regular Promotions How to Claim Your Bonus and Start Playing What to Expect After Claiming Your Bonus In the rapidly growing online …

Sweet Bonanza Oyna — Sweet bonanza slot güvenilir siteleri.8266

June 24, 2025 blog 0

Sweet Bonanza Oyna — Sweet bonanza slot güvenilir siteleri ▶️ OYNAMAK Содержимое Güvenilir Sweet Bonanza Oynama Siteleri Seçimi Sweet Bonanza Slot Oyunları Sweet Bonanza Oyunu Nedir? Sweet Bonanza Oyunlarında Güvenli Para Yatırma Yönergeleri Güvenli Para Yatırma Adımları Sweet Bonanza Slot oyunu, oyun dünyasında büyük bir bonanza olarak kabul edilir. Bu …

Казино онлайн

June 24, 2025 blog 0

Казино онлайн ▶️ ИГРАТЬ Содержимое Преимущества онлайн-казино Как выбрать лучшее онлайн-казино Основные правила игры в онлайн-казино Основные правила игры в онлайн-казино: Безопасность и конфиденциальность в онлайн-казино В наше время казино онлайн стало одним из самых популярных способов играть в азартные игры. Многие игроки предпочитают играть в интернете, потому что это …

Vavada Зеркало Вход на официальный сайт.2652

June 24, 2025 blog 0

Вавада казино | Vavada Зеркало Вход на официальный сайт ▶️ ИГРАТЬ Содержимое Вавада казино – надежный партнер для игроков Официальный сайт Vavada – доступ к играм и бонусам Преимущества и функции казино Vavada – почему игроки выбирают это казино Вавада казино – это место, где вы можете испытать на себе …

Казино Официальный сайт Pin Up Casino играть онлайн – Вход, Зеркало.1027 (2)

June 24, 2025 blog 0

Пин Ап Казино Официальный сайт | Pin Up Casino играть онлайн – Вход, Зеркало ▶️ ИГРАТЬ Содержимое Pin Up Casino: Официальный Сайт Вход в Казино Pin Up Зеркало Казино Как Играть Онлайн в Пин Ап Казино Шаг 2: Депозит Преимущества игроков Pin Up Casino Удобство и доступность Отзывы Игроков Положительные …

казино и ставки в БК – зеркало сайта Mostbet.4078

June 24, 2025 blog 0

Мостбет – онлайн казино и ставки в БК – зеркало сайта Mostbet ▶️ ИГРАТЬ Содержимое Преимущества онлайн-казино Mostbet Как сделать ставку в Mostbet Зеркало сайта Mostbet: безопасность и доступность Отзывы игроков о Mostbet Преимущества Mostbet Недостатки Mostbet В современном мире игроки имеют доступ к широкому спектру онлайн-казино и букмекерских компаний, …

1win официальный сайт букмекера — Обзор и зеркало для входа.5248

June 24, 2025 blog 0

1win официальный сайт букмекера — Обзор и зеркало для входа ▶️ ИГРАТЬ Содержимое 1win Официальный Сайт Букмекера Обзор и Зеркало для Входа Преимущества и Функции 1win Функции 1win: В мире ставок и азарта 1win является одним из самых популярных букмекеров, предлагающих широкий спектр услуг для игроков. Компания была основана в …

Glory Casino Bangladesh Official Website.3211 (2)

June 24, 2025 blog 0

Glory Casino Bangladesh Official Website ▶️ PLAY Содержимое About Glory Casino Features of the Official Website How to Register and Login at Glory Casino Bangladesh Games and Bonuses Glory Casino Bonuses Are you ready to experience the thrill of online gaming like never before? Look no further than the glory …

Casino non AAMS in Italia come riconoscere quelli affidabili.645

June 24, 2025 blog 0

Casino non AAMS in Italia – come riconoscere quelli affidabili ▶️ GIOCARE Содержимое Casino non AAMS in Italia: come evitare i trappi Consegni per giocatori online Identificare i casinò sicuri e trasparenti Come identificare i casinò non AAMS Controllare la licenza e le recensioni dei giocatori In Italia, il settore …

Ishonchli onlayn kazinolar O‘zbekistonda.121

June 24, 2025 blog 0

Ishonchli onlayn kazinolar O‘zbekistonda ▶️ O’YNANG Содержимое O‘zbekistonda onlayn kazinolarning qonuniy holati Qonuniy kazinolar Best online casino tanlash Onlayn kazinolarda o‘yinlar va ularning xususiyatlari O‘zbekistonda onlayn kazinolarda pul mablag‘lari va to‘lov tizimlari O‘zbekistonda onlayn kazino sohasi juda tez rivojlanib bormoqda. Ko‘plab best online casino saytlari o‘z xizmatlarini taklif qilmoqda, ammo …

Page 10 of 17« First...«8 91011 12 » ...Last »