On Aug 7, 2015 3:13 AM, "Guido van Rossum" <guido@python.org> wrote:
>
> On Thu, Aug 6, 2015 at 10:35 PM, Wes Turner <wes.turner@gmail.com> wrote:
>>
>>
>> On Aug 6, 2015 3:03 PM, "Guido van Rossum" <guido@python.org> wrote:
>> >
>> > Unfortunately, all spellings that require calling locals() are wrong.
>>
>> Is this where the potential source of surprising error is?
>>
>> * Explicit / Implicit locals()
>
> This is a big deal because of the worry about code injection. A "classic" format string given access to locals() (e.g. using s.format(**locals())) always stirs worries about code injection if the string is a variable. The proposed forms of string interpolation don't give access to locals *other than the locals where the string "literal" itself exists*. This latter access is no different from the access to locals in any expression. (The same for globals(), of course.)
>
> The other issue with explicit locals() is that to the people who would most benefit from variable interpolation (typically relatively unsophisticated users), it is magical boilerplate. (Worse, it's boilerplate that their more experienced mentors will warn them against because of the code injection worry.)
>>
>> * To me, the practicality of finding '%' and .format is more important than the convenience of an additional syntax with implicit scope, but is that beside the point?
>
> I'm not sure what your point is here. (Genuinely not sure -- this is not a rhetorical flourish.) Are you saying that you prefer the explicit formatting operation because it acts as a signal to the reader that formatting is taking place?

I should prefer str.format() when I reach for str.__mod__() because it's more likely that under manual review I'll notice or grep ".format(" than "%", sheerly by character footprint.
>
> Maybe in the end the f-string proposal is the right one -- it's minimally obtrusive and yet explicit, *and* backwards compatible? This isn't saying I'm giving up on always-interpolation; there seems to be at least an even split between languages that always interpolate (PHP?), languages that have a way to explicitly disable it (like single quotes in shell), and languages that require some sort of signal (like C#).

A convenient but often dangerous syntactical shortcut (because it is infeasible to track more than 7+-2 glocal variables in mind at once).

* Jinja2 autoescaping w/ LaTeX code is much easier w/ different operators.
* f'... {Cmd}"'
* r'... {Cmd}"'

0 / O

>  
> --
> --Guido van Rossum (python.org/~guido)