I haven't written this in the code yet but I want to parse YAML from my website users. The YAML should just be string key/values and lists of strings.
They input YAML into a textbox, send it to the server, then the python will parse the YAML, put it in the database and it will later be queryable.
Is there anything I need to do to be able to safely do the above?
The main thing to observe is to parse the yaml with either
safe_load ( ruamel.yaml (supporting YAML 1.2), PyYAML (YAML 1.1)) or
round_trip_load (ruamel.yaml, this will allow you to extract comments in the YAML file if necessary).
load could be used to execute programs by the Python interpreter, unless you pre-process the YAML to remove any tags.
Disclaimer: I am the author of ruamel.yaml