The Artima Developer Community
Sponsored Link

Weblogs Forum
Django vs. Cheetah: 1-0

86 replies on 6 pages. Most recent reply: Jan 28, 2008 1:34 AM by Johnny Stovall

Welcome Guest
  Sign In

Go back to the topic listing  Back to Topic List Click to reply to this topic  Reply to this Topic Click to search messages in this forum  Search Forum Click for a threaded view of the topic  Threaded View   
Previous Topic   Next Topic
Flat View: This topic has 86 replies on 6 pages [ « | 1 2 3 4 5 6 | » ]
Niki Estner

Posts: 1
Nickname: nikie
Registered: Jan, 2006

Re: Django vs. Cheetah: 1-0 Posted: Jan 31, 2006 5:04 PM
Reply to this message Reply
Advertisement
I hope this isn't too far off-topic, but I've been wondering about this ever since I've started doing things in Python:
Wouldn't it be nice to have some kind of standard templating engine that's part of the standard python distribution, something like ruby's erb/eruby (I can never remember which one is which)?
Sure, there's string.Template, but it lacks some important features, mainly loops and if's. Is there maybe hope that such an engine (with a beautiful extensible, pythonic interface, if possible) might be included "with the batteries" in the future?

Eugene Lazutkin

Posts: 15
Nickname: elazutkin
Registered: Jan, 2006

Re: Django vs. Cheetah: 1-0 Posted: Jan 31, 2006 5:37 PM
Reply to this message Reply
> a little to really see what its about. Whereas Django
> definitely has shallow newbie appeal, its design concepts
> will definitely become a letdown on a large project; while
> you might go and develop your project's first version with
> it, I am sure that you will eventually be back looking for
> something else within a few months if not sooner.

AFAIK Django came from *large* projects, so its ability to do large scale developments is proved already. Care to substantiate your claim? I think everybody wants to know why Django "will definitely become a letdown on a large project" .

> environment ? I dont see how you can think Django is
> extensible when its very design philosophy states that it
> is opposed to any kind of interoperability with the
> outside world.

Where is it stated? From http://www.djangoproject.com/documentation/design_philosophies/

Overall
o Loose coupling
o Less code
o Quick development
o Don't repeat yourself (DRY)
o Explicit is better than implicit
o Consistency

Models
o Explicit is better than implicit
o Include all relevant domain logic

Database API
o SQL efficiency
o Terse, powerful syntax
o Option to drop into raw SQL easily, when needed

URL design
o Loose coupling
o Infinite flexibility
o Encourage best practices
o Definitive URLs

Template system
o Separate logic from presentation
o Discourage redundancy
o Be decoupled from HTML
o Assume designer competence
o Treat whitespace obviously
o Don't invent a programming language
o Safety and security
o Extensibility

Views
o Simplicity
o Use request objects
o Loose coupling
o Designate between GET and POST

Did I miss something?

Thanks,

Eugene

Fredrik Lundh

Posts: 16
Nickname: effbot
Registered: Mar, 2005

Re: Django vs. Cheetah: 1-0 Posted: Jan 31, 2006 5:50 PM
Reply to this message Reply
> Did I miss something?

If the toolkits are as bad as the advocacy, stuff like Pylons and Myghty should be avoided at all costs.

Shannon -jj Behrens

Posts: 12
Nickname: jjinux
Registered: Aug, 2005

Re: Django vs. Cheetah: 1-0 Posted: Jan 31, 2006 6:04 PM
Reply to this message Reply
[concerning htmltext from Quixote]
> Maybe someone could write up a PEP? I think it ought to be part of the Python standard library (eventually).

Also, let's not forget about escaping stuff shoved into JavaScript.

mike bayer

Posts: 22
Nickname: zzzeek
Registered: Jan, 2005

Re: Django vs. Cheetah: 1-0 Posted: Jan 31, 2006 6:12 PM
Reply to this message Reply
> > Did I miss something?
>
> If the toolkits are as bad as the advocacy, stuff like
> Pylons and Myghty should be avoided at all costs.

lest we forget someone calling Pylons a "volatile, currently-Subversion-only thought experiment"..(http://panela.blog-city.com/python_web_framework_shootout_take_3__petitioning_guido_goog.htm) even though it is powering a high traffic website as well.

the flame goes in all directions with this kind of thing.

Lone Star

Posts: 7
Nickname: lonestar
Registered: Jan, 2006

Re: Django vs. Cheetah: 1-0 Posted: Jan 31, 2006 7:07 PM
Reply to this message Reply
I don't think standardization is advisable for escaping because there is no standard way to escape. Escaping depends on context: inside html, inside javascript area, inside webservice output etc. Depending on the context your output will be used different characters have to be escaped. And sometimes even escaping doesn't cut it. Then you have to use whitelisting.

"escaping by default" for a template engine is a bad idea for this very reason. And also, it leaves naive users with a false sense of security (like PHPs autoescaping and the security mess it has generated).

And last but not least: let's be nice to each other. I personally like calm, friendly and objective responses the most.

Eugene Lazutkin

Posts: 15
Nickname: elazutkin
Registered: Jan, 2006

Re: Django vs. Cheetah: 1-0 Posted: Jan 31, 2006 7:21 PM
Reply to this message Reply
> > > Did I miss something?
> >
> > If the toolkits are as bad as the advocacy, stuff like
> > Pylons and Myghty should be avoided at all costs.
>
> lest we forget someone calling Pylons a "volatile,
> currently-Subversion-only thought
> experiment"..(http://panela.blog-city.com/python_web_framew
> ork_shootout_take_3__petitioning_guido_goog.htm) even
> though it is powering a high traffic website as well.
>
> the flame goes in all directions with this kind of thing.

While I have no first-hand experience with Pylons, I recognised that Adrian's snide remark is unsubstantiated, and I ignored it completely. Now I understand that your rhetoric was based on the eye-for-eye doctrine instead of technical merits, so I advise to ignore it too. Sorry.

Guido van van Rossum

Posts: 359
Nickname: guido
Registered: Apr, 2003

Re: Django vs. Cheetah: 1-0 Posted: Jan 31, 2006 10:11 PM
Reply to this message Reply
FWIW, there's now a thread on web-sig@python.org about standardizing a template (plug-in) API. Hopefully they'll cook something up that most template and framework authors can use.

http://mail.python.org/pipermail/web-sig/2006-January/001912.html

Tavis Rudd

Posts: 13
Nickname: tavis
Registered: Jan, 2006

Re: Django vs. Cheetah: 1-0 Posted: Jan 31, 2006 10:29 PM
Reply to this message Reply
Hi Eugene,

Eugene Lazutkin writes:
> AFAIK original Django authors decided against using
> templates as a front for Python interpreter precisely
> because of this reason: templates should not be able to
> bring down the system no matter what. They should provide
> a functionality required by web designers and nothing
> more. Otherwise it is a huge liability, a potential
> security hole, and a maintenance nightmare.

Unless you have a mechanism for restricting what is allowed in templates, which Cheetah does, it is a security hole. I disagree with the rest of this, though. How is compiling to python code a 'huge liability' or a 'maintenance nightmare'?

An exception in a Cheetah template doesn't "bring the system down". The framework calling Cheetah catches the exception and, if it's a good framework, reports the exception to the dev/sysadmin team while presenting a friendlier error message to the end user. The only happens if there are bugs in your code. This is the same as syntax or runtime error in any template system.

Perhaps you're thinking about situations where end-users are able to edit templates directly, via something like a cms or a wiki.

Eugene Lazutkin

Posts: 15
Nickname: elazutkin
Registered: Jan, 2006

Re: Django vs. Cheetah: 1-0 Posted: Jan 31, 2006 10:45 PM
Reply to this message Reply
> Perhaps you're thinking about situations where end-users
> are able to edit templates directly, via something like a
> cms or a wiki.

Actually I was thinking about big projects with dedicated programmers, and web designers. Usually the latter are not very good at programming, but are big on design, while the former are not very proficient at art. If I have a single man hobby project, I can tolerate a lot of rough edges, and I don't mind jumping through some hoops to get things done. It is a completely different matter, when you have many people involved.

Did you try to audit 100,000+ lines of .asp or .jsp, which is basically your target format with mixed-in pieces of executable code, for potential security breaches? I did. :-( I hope you understand me know.

BTW, your example with CMS and Wiki is a good one too, but there are some ways around it like filtering input, or (you saw it coming, right?) using a simpler template language.

Tavis Rudd

Posts: 13
Nickname: tavis
Registered: Jan, 2006

Re: Django vs. Cheetah: 1-0 Posted: Feb 1, 2006 12:33 AM
Reply to this message Reply
Eugene,

> 100,000+ lines of .asp or .jsp
ouch! I'm sorry of the pain you suffered :)

I understand where you're coming from but think we're miscommunicating on a few points.

First, Cheetah is being used very successfully on projects of a similarly large scale with very diverse teams: http://cheetahtemplate.org/whouses.html. IronPort has over a million lines of Python and Cheetah code. If I understand correctly, >100,000 lines of that is Cheetah code. I personally manage a project with roughly 200,000 lines of Python and Cheetah code. These teams aren't tolerating "a lot of rough edges" or "jumping through some hoops to get things done." They're raving about it: http://cheetahtemplate.org/praise.html.

They're not grumbling about Cheetah compiling into Python classes. That is one of the key features they rave about:

"We have found Cheetah to be a gloriously flexible and powerful technology. Functions within templates allowed us to do far more elegant structured programming at the document level. Being able to use templates as python classes, importing constants and other goodies directly from our middleware python code really lets them act as first class code members instead of an ugly lesser citizen.”
- James Robinson (socialserve.com)

The security hole argument is completely valid with regards to Cheetah 1.0. (Are django templates completely sandboxed?)

However, Cheetah 2.0 is a very different beast. It allows you to define a smaller subset of the language when you need to restrict what certain developers/designers can put in their templates. The subset can be as small as you want. You can have developers with higher privileges create a template using the full unrestricted syntax and then have less privileged developers create a specialized subclass of that same template using only a restricted subset of the syntax.

Here's a trivial example (~10 lines) of how to create a subset that has no directives and allows only a few specific placeholders
============

import traceback
from Cheetah.Template import Template
from Cheetah.Parser import ForbiddenExpression

def filterExpr(parser, expr, exprType, rawExpr, startPos=None):
if rawExpr not in ('$a','$b','$c', '$f("Y")', '$f', '$f()'):
if startPos is not None:
parser.setPos(startPos)
raise ForbiddenExpression(parser, '%r is not a permitted expression'%rawExpr)

class SafeTemplate(Template):
_CHEETAH_compilerSettings = dict(
enabledDirectives=[None],
expressionFilterHooks=[filterExpr]
)

def func(arg='Y'):
return arg

safeSrc = '''
Safe source
$a $b $c $f $f() $f("Y")
'''

unsafeSrc = '''
Unsafe source
$a $b $c $f $f() $f("Y")
#def method(x, y)
$x,$y
#end def
'''


unsafeSrc2 = '''
Unsafe source 2
$a $b $c $d $f $f() $f("Y")
'''

unsafeSrc3 = '''
Unsafe source 3
$a $b $c $f $f() $f("Y") $f("N")
'''

searchList = [dict(a='Y', b='Y', c='Y', d='N', f=func)]
for src in (safeSrc, unsafeSrc, unsafeSrc2, unsafeSrc3):
try:
print 'Normal Template Class:'
print Template.compile(src)(searchList=searchList)
print 'Safe Template Class:'
print SafeTemplate.compile(src)(searchList=searchList)
except:
traceback.print_exc()
============
The 'unsafe' ones raise some like this:

ForbiddenExpression:

'f("N")' is not a permitted expression. Line 3, column 26

Line|Line contents
----|-------------------------------------------------------------
2 |Unsafe source 3
3 |$a $b $c $f $f() $f("Y") $f("N")
^

See if you can slip something by that.

If you'd rather have unsafe code just printed in the output rather than raise ForbiddenExpression there is a simple mechanism for doing that as well.

> BTW, your example with CMS and Wiki is a good one too, but
> there are some ways around it like filtering input, or
> (you saw it coming, right?) using a simpler template
> language.

I agree about using a simpler template language for such things, which is exactly what Cheetah's filters allow you to create.

Mario Ruggier

Posts: 4
Nickname: mr17
Registered: Jan, 2006

Re: Django vs. Cheetah: 1-0 Posted: Feb 1, 2006 7:09 AM
Reply to this message Reply
> Of course this is pretty much exactly the Quixote
> approach, IIRC, except it shouldn't require hacking the
> Python interpreter or (equivalently) preprocessing Python
> source, and the same type (or interface, at least) should
> be supported by all templating libraries. Maybe someone
> could write up a PEP? I think it ought to be part of the
> Python standard library (eventually).

Quixote's PTL and htmltext class has been mentioned several times, but not the newer QPY and h8 class... QPY (the templating used by the QP web application framework) is different from PTL in the following ways:

- is distributed as a separate package
- is unicode
- compiles the .qpy files to .pyc, as opposed to using an import hook, i.e. less tricky, implying that pydoc works, and other advantages probably...

To reduce some potential confusion between PTL and QPY (as well as between the Quixote and QP frameworks) take a look at this discussion: http://mail.mems-exchange.org/durusmail/quixote-users/5303/

mario

[QPY] http://www.mems-exchange.org/software/qpy/
[QP] http://www.mems-exchange.org/software/qp/

Luis Gonzalez

Posts: 5
Nickname: neuruss
Registered: Jan, 2006

Re: Django vs. Cheetah: 1-0 Posted: Feb 1, 2006 8:26 AM
Reply to this message Reply
> I hate stuff like:
>
> {%if name%}
> <h1>Hello {{name}}</h1>
> {%else%}
> <h1>Hello There</h1>
> {%endif%}
>
> Making good looking HTML is hard enough without mixing it
> with a programming language. In addition, you are
> generating the HTML out of context. Its much better to use
> a nice wysiwyg designt tool for the HTML, and keep the
> code separate. Simply put it is necessary to separate the
> graphic design and the functionality.
>
> I have been using various techniques to do this for a
> number of years now, and its getting easier all the time
> due to browser improvements.
>
> Take a look at what is now called AJAX (New name for a
> very old dog!). This allows you to treat a web page as a
> data source, and then fill the called function results
> back into the web page without refreshing the HTML. This
> means that the style information is not messed with, just
> the data. The only drawback is that you may have to learn
> javascript if you dont find the libs you need on the web.
>
> Development is then a whizz... The graphic designer
> designs the HTML, the programmer then supplies some
> standard javascript libs and the server side is just data
> interchange. I find this approach works well (at least for
> me).


Amen.

Luis Gonzalez

Posts: 5
Nickname: neuruss
Registered: Jan, 2006

Re: Django vs. Cheetah: 1-0 Posted: Feb 1, 2006 8:28 AM
Reply to this message Reply
> Its much better to use
> a nice wysiwyg designt tool for the HTML, and keep the
> code separate. Simply put it is necessary to separate the
> graphic design and the functionality.


Amen.

Mario Ruggier

Posts: 4
Nickname: mr17
Registered: Jan, 2006

Re: Django vs. Cheetah: 1-0 Posted: Feb 1, 2006 9:11 AM
Reply to this message Reply
James Bond "spending quite a lot of time looking at the various templating systems for python" ? Hmmn, are we embarking on some 007 years of strife, or of plenty ;-?

> After a long investigation my favorite is cubictemp.

The page for that mentions yaptu... if i may, if only for the historical footnote, i had made, a lifetime ago in 2002, a template module that I would catagerize as an "XML friendly" template module based on yaptu, called xyaptu. Even then, I was very unconvinced about XML's appropriateness for everything, as seemed fashionable at that time, but I had to live with it. If curious:

http://aspn.activestate.com/ASPN/Cookbook/Python/Recipe/162292

Flat View: This topic has 86 replies on 6 pages [ « | 1  2  3  4  5  6 | » ]
Topic: Django vs. Cheetah: 1-0 Previous Topic   Next Topic Topic: ScalaTest 0.9 Released


Sponsored Links



Google
  Web Artima.com   

Copyright © 1996-2014 Artima, Inc. All Rights Reserved. - Privacy Policy - Terms of Use - Advertise with Us