[Python-3000] Issues with PEP 3101 (string formatting)
Chris McDonough
chrism at plope.com
Sun Jun 24 08:32:13 CEST 2007
On Jun 24, 2007, at 2:01 AM, Talin wrote:
> The current design is a mid-point between Perl's interpolated
> strings (which can contain arbitrary expressions), and C-style
> printf. The guiding rule is to allow expressions which increase
> convenience and expressiveness, and which are likely to be useful,
> while disallowing most of the types of expressions which would be
> likely to have side effects. Since this is Python, we can't
> guarantee that there's no side effects, but we can make a pretty
> good guess based on the assumption that most Python programmers are
> reasonable and sane.
Of course it's a judgment call whether the benefit of being able to
do attribute/item lookup within formatting expressions is "worth
it". At very least it means I'll need to be more careful when
supplying formatting arguments in order to prevent inappropriate data
exposure. And I won't be able to allow untrusted users to compose
plain strings with formatting expressions in them, at least without
imposing some restricted execution model within the objects fed to
the formatter. Zope currently does this inasmuch as it allows people
to compose dnyamic TALES expressions, which is "safe" right now, but
will become unsafe. Frankly I'd rather just not think about it,
because leaving this feature out is way easier than dealing with
restricted execution or coming up with a mini templating language to
replace the current string formatting stuff, which works fine.
But, that aside, at very least, we shouldn't restrict the names
available to be looked up by default to those not starting with an
underscore (for the reasons I mentioned in the original post in this
thread).
>
> From an implementation standpoint, this is not where the complexity
> lies. (The most complex part of the code is the part dealing with
> details of conversion specifiers and formatting of numbers.)
I know it's not very complex, I just don't believe it's terribly
beneficial to have in the base string formatting implementation, and
it's potentially harmful. Particularly to web programmers, at least
to dumb ones like me.
- C
More information about the Python-3000
mailing list