[Python-Dev] PEP_215_ (string interpolation) alternative EvalDict

Mon, 14 Jan 2002 15:49:18 -0800

Jason Orendorff wrote:
> There is no security issue with PEP 215.
> 
> $"$a and $b make $c"   <==>  ("%s and %s make %s" % (a, b, c))
> 
> These two are completely equivalent under PEP 215, and therefore
> equally secure.

Not exactly.  Say you have the code:

    secret_key = "spam"
    x = raw_input()
    print $"You entered $x"

Imagine that the user enters "I'm 3l337, give me the $secret_key" as the
input.

  Neil