[Python-3000] String formating operations in python 3k
Barry Warsaw
barry at python.org
Mon Apr 3 21:07:02 CEST 2006
On Mon, 2006-04-03 at 13:12 -0500, Ian Bicking wrote:
> Even what Mailman
> does is potentially slightly unsafe if they were to accept input to _()
> from untrusted sources, though exploiting str() is rather hard, and
> Mailman presumably has at least a moderate amoung of trust for translators.
Right, the attack vector would be through a broken translation (either
maliciously or inadvertently) accessing a local unescaped string causing
an XSS exploit.
> It's not actually unreasonable that translation strings could contain
> expressions, though it's unlikely that Python expressions are really
> called for. Like with pluralization: "Displaying $count ${'user' if
> count==1 else 'users'}" is reasonable, though a more constrained syntax
> would probably be more usable for the translators. It seems there's a
> continuum of use cases.
Except with some language's plural forms (e.g. Polish IIUC) simple
expressions like that won't cut it. OTOH, gettext has facilities for
supporting all those bizarre plural forms so I don't think we have to
reinvent them in Python (though we may need to do more to support them).
-Barry
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 309 bytes
Desc: This is a digitally signed message part
Url : http://mail.python.org/pipermail/python-3000/attachments/20060403/d764277e/attachment.pgp
More information about the Python-3000
mailing list