<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Aug 6, 2015 at 2:02 PM, Wes Turner <span dir="ltr"><<a href="mailto:wes.turner@gmail.com" target="_blank">wes.turner@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote"><span class="">On Wed, Aug 5, 2015 at 8:58 PM, Terry Reedy <span dir="ltr"><<a href="mailto:tjreedy@udel.edu" target="_blank">tjreedy@udel.edu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span>On 8/5/2015 3:34 PM, Yury Selivanov wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
'\{..}' feels unbalanced and weird.<br>
</blockquote>
<br></span>
Escape both. The closing } is also treated specially, and not inserted into the string. The compiler scans linearly from left to right, but human eyes are not so constrained.<br>
<br>
s = "abc\{kjljid some long expression jk78738}def"<br>
<br>
versus<br>
<br>
s = "abc\{kjljid some long expression jk78738\}def"<br>
<br>
and how about<br>
<br>
s = "abc\{kjljid some {long} expression jk78738\}def"</blockquote><div><br></div></span><div>+1: escape \{both\}.</div><div><br></div><div>Use cases where this is (as dangerous as other string interpolation methods):</div><div><br></div><div>* Shell commands that should be shlex-parsed/quoted</div><div>* (inappropriately, programmatically) writing</div><div> code with manually-added quotes ' and doublequotes "</div><div>* XML,HTML,CSS,SQL, textual query language injection</div><div>* Convenient, but dangerous and IMHO much better handled</div><div> by e.g. MarkupSafe, a DOM builder, a query ORM layer</div><div><br></div><div>Docs / Utils:</div><div><br></div><div>* [ ] ENH: AST scanner for these (before i do __futre__ import)</div><div>* [ ] DOC: About string interpolation, in general</div></div></div></div></blockquote><div><br></div><div>BTW here's a PR to add subprocess compat to sarge (e.g. for sarge.run)</div><div><br></div><div>* <a href="https://bitbucket.org/vinay.sajip/sarge/pull-requests/1/enh-add-call-check_call-check_output">https://bitbucket.org/vinay.sajip/sarge/pull-requests/1/enh-add-call-check_call-check_output</a></div><div>* <a href="https://sarge.readthedocs.org/en/latest/overview.html#why-not-just-use-subprocess">https://sarge.readthedocs.org/en/latest/overview.html#why-not-just-use-subprocess</a></div><div>* <a href="https://cwe.mitre.org/top25/">https://cwe.mitre.org/top25/</a></div><div> * #1: <a href="https://cwe.mitre.org/top25/#CWE-89">https://cwe.mitre.org/top25/#CWE-89</a> SQL Injection</div><div> * #2: <a href="https://cwe.mitre.org/top25/#CWE-78">https://cwe.mitre.org/top25/#CWE-78</a> OS Command injection</div><div> * ....</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><span class=""><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span><font color="#888888"><br>
<br>
<br>
<br>
<br>
-- <br>
Terry Jan Reedy</font></span><div><div><br>
<br>
_______________________________________________<br>
Python-ideas mailing list<br>
<a href="mailto:Python-ideas@python.org" target="_blank">Python-ideas@python.org</a><br>
<a href="https://mail.python.org/mailman/listinfo/python-ideas" rel="noreferrer" target="_blank">https://mail.python.org/mailman/listinfo/python-ideas</a><br>
Code of Conduct: <a href="http://python.org/psf/codeofconduct/" rel="noreferrer" target="_blank">http://python.org/psf/codeofconduct/</a><br>
</div></div></blockquote></span></div><br></div></div>
</blockquote></div><br></div></div>