On Tue, Aug 11, 2015 at 2:25 PM, Joonas Liik <liik.joonas@gmail.com> wrote:
I would rather think of this as an opportunity to help avoid injection vectors.

you get an "F" grade/letter/mark every time you build an f-string
without defining what the user-supplied input and destination outputs
could/would be.
 

if there was a separate.. . interpolation provider ..
then something like

os.system('dosomething {a} {b} {c}'.format(...))

could be written as ( !cmd here being a special type of f-string that does command line escaping, borrowing syntax from another thread a few days ago..)

os.sytem(!cmd'dosomething {a} {b} {c}')

sarge.run('do something {0} {1} {2}', a, b, c) is currently supported
(and could/should be stdlib IMHO) https://sarge.readthedocs.org/en/latest/overview.html#why-not-just-use-subprocess.

  * (again, sorry) this adds ~subprocess compat to sarge: https://bitbucket.org/vinay.sajip/sarge/pull-requests/1/enh-add-call-check_call-check_output ("ENH: Add call, check_call, check_output, CalledProcessError, expect_returncode")
 

This is both shorter and more resilient to injections.
Essentially it feels like you annotate a string as "this will be executed on the command line" and the interpolation adapts.

this would make doing the right thing the same as doing the easy thing and this would be good overall, no?
I don't know about you, but i dont know by heart how to escape arbitrary user input and deal with all of the corner cases.

So, IPython/Jupyter understands _repr_html_ (_repr_*_) methods,
IDK why we couldn't have e.g.  _repr_shell_path_, _repr_shell_cmdarg_,
_repr_sql_sqlite_reserved_keywords_.

Representing things for an output format which is expressed as a string
but has control characters
in order to separate data and code.
 

yes, you can do this more safely with Popen.. but that is quite a bit more effort.
also often times there is no such alternative or it is very unweildy (sql land this happens more often)

POSIX exec accepts a tuple (and does not parse ';' or '--').
 



_______________________________________________
Python-ideas mailing list
Python-ideas@python.org
https://mail.python.org/mailman/listinfo/python-ideas
Code of Conduct: http://python.org/psf/codeofconduct/