[Python-Dev] PEP_215_ (string interpolation) alternative EvalDict

Jason Orendorff jason@jorendorff.com
Mon, 14 Jan 2002 17:04:49 -0600


> But if you're going to allow interpolation of the results of arbitrary
> function into a string, it's going to be a security problem whether
> or not you use 'eval' to do it. My code hides the eval in the object's
> python code. u" strings would hide the eval in the C code. How is one
> more or less secure than the other.

There is no security issue with PEP 215.

$"$a and $b make $c"   <==>  ("%s and %s make %s" % (a, b, c))

These two are completely equivalent under PEP 215, and therefore
equally secure.

## Jason Orendorff    http://www.jorendorff.com/