[Python-Dev] PEP 215 redux: toward a simplified consensus?
Paul Prescod
paul@prescod.net
Mon, 25 Feb 2002 15:19:06 -0800
Guido van Rossum wrote:
>
> There are two entirely different potential uses for interpolation.
> One is for the Python programmer; call this literal interpolation.
True!
>...
> A totally *different* use of interpolation is for templates, where
> both the template (any data containing the appropriate $ syntax) and
> the set of variables to be substituted (any mapping) should be under
> full control of the program. This is what mailmail needs.
True!
But we've already got a solution for this. Is there something wrong with
it? I guess I don't know what problem we're trying to solve. My only
interest in interpolation was to make the common, simple case easier.
> Literal interpolation has no security issues, if done properly. In
> the latter use, the security issues can be taken care of by carefully
> deciding what data is available in the set of variables to be
> interpolated. The interpolation syntax I've proposed is intentionally
> very simple, so that this is relatively easy. I recall seeing slides
> at the conference of a templating system (maybe Twisted's?) that
> allowed expressions like $foo.bar[key] which would be much harder to
> secure.
I'm not attached enough to fight for these but I'll re-emphasize your
implicit point that these are entirely secure if used in literal
interpolation.
> I18n of templates is easy -- just look up the template string in the
> translation database.
>
> I18n of apps using literal interpolation is more of a can of worms,
> and I have no clear solution. I agree that a solution is needed --
> otherwise literal interpolation would be *worse* than what we have now!
You translate them from compile time interpolation to runtime by
removing a $ and replacing it by a function call.
a = $"My name is $name"
becomes:
a = interp(_("My name is $name"))
But of course it is trivial to make the last line of '_' return
interp(rc) so that the client doesn't have to do it.
Paul Prescod