[Python-Dev] PEP_215_ (string interpolation) alternative EvalDict
Jason Orendorff
jason@jorendorff.com
Mon, 14 Jan 2002 17:04:49 -0600
> But if you're going to allow interpolation of the results of arbitrary
> function into a string, it's going to be a security problem whether
> or not you use 'eval' to do it. My code hides the eval in the object's
> python code. u" strings would hide the eval in the C code. How is one
> more or less secure than the other.
There is no security issue with PEP 215.
$"$a and $b make $c" <==> ("%s and %s make %s" % (a, b, c))
These two are completely equivalent under PEP 215, and therefore
equally secure.
## Jason Orendorff http://www.jorendorff.com/