28 Apr
2023
28 Apr
'23
9:23 p.m.
On 29/04/23 6:59 am, Bruce Leban wrote:
To take this further, suppose you write 'Hello {username} from {company}'.format(userdata).format(companydata) where the user has set their name to "Dr. {secret} Evil" where {secret} is something in companydata that should not be exposed.
More generally, a format string should be treated as code, and doing anything that could result in untrusted user data being treated as code is a Bad Idea. -- Greg