[Python-Dev] PEP 215 redux: toward a simplified consensus?

Paul Prescod paul@prescod.net
Mon, 25 Feb 2002 15:19:06 -0800


Guido van Rossum wrote:
> 
> There are two entirely different potential uses for interpolation.
> One is for the Python programmer; call this literal interpolation.

True!

>...
> A totally *different* use of interpolation is for templates, where
> both the template (any data containing the appropriate $ syntax) and
> the set of variables to be substituted (any mapping) should be under
> full control of the program.  This is what mailmail needs.

True!

But we've already got a solution for this. Is there something wrong with
it? I guess I don't know what problem we're trying to solve. My only
interest in interpolation was to make the common, simple case easier.

> Literal interpolation has no security issues, if done properly.  In
> the latter use, the security issues can be taken care of by carefully
> deciding what data is available in the set of variables to be
> interpolated.  The interpolation syntax I've proposed is intentionally
> very simple, so that this is relatively easy.  I recall seeing slides
> at the conference of a templating system (maybe Twisted's?) that
> allowed expressions like $foo.bar[key] which would be much harder to
> secure.

I'm not attached enough to fight for these but I'll re-emphasize your
implicit point that these are entirely secure if used in literal
interpolation.

> I18n of templates is easy -- just look up the template string in the
> translation database.
> 
> I18n of apps using literal interpolation is more of a can of worms,
> and I have no clear solution.  I agree that a solution is needed --
> otherwise literal interpolation would be *worse* than what we have now!

You translate them from compile time interpolation to runtime by
removing a $ and replacing it by a function call.

a = $"My name is $name"

 becomes:

a = interp(_("My name is $name"))

But of course it is trivial to make the last line of '_' return
interp(rc) so that the client doesn't have to do it.

 Paul Prescod