[Python-Dev] PEP_215_ (string interpolation) alternative EvalDict

[Jason Orendorff]

> But just in case I'm seeing it all wrong: could you explain
> to me how PEP 215 *doesn't* have the potential of introducing
> a security hole ?

Gladly.

Every $-string can be converted to equivalent code that uses only:

  a)  whatever code the programmer explicitly typed
      in the $-string;
  b)  str() or unicode(); and
  c)  the + operator applied to strings.

Therefore $ is exactly as secure or insecure as those three
pieces.

All three of these things are just as safe as the non-PEP-215
features that we're already using.

Therefore $-strings do not introduce any new security hole.

## Jason Orendorff    http://www.jorendorff.com/