[Python-Dev] PEP_215_ (string interpolation) alternative EvalDict

[Steven Majewski]

On Mon, 14 Jan 2002, Jason Orendorff wrote:

> > But just in case I'm seeing it all wrong: could you explain
> > to me how PEP 215 *doesn't* have the potential of introducing
> > a security hole ?
>
> Gladly.
>
> Every $-string can be converted to equivalent code that uses only:
>
>   a)  whatever code the programmer explicitly typed
>       in the $-string;
>   b)  str() or unicode(); and
>   c)  the + operator applied to strings.
>

But the examples in PEP 215 don't follow those restrictions.

That may be the source of the confusion.

Maybe someone should revise the PEP for consistency before it's
considered further.

-- Steve.