[Python-Dev] Re: PEP 292, Simpler String Substitutions

Barry A. Warsaw barry@zope.com
Sat, 22 Jun 2002 21:45:42 -0400

>>>>> "CT" == Christian Tismer <tismer@tismer.com> writes:

    CT> If there are program variables directly accessible inside
    CT> strings to be interpolated, then I see possible abuse, if
    CT> abusers manage to supply such a string in an unforeseen way.

For literal strings in .py files, the only way that's going to happen
is if someone you don't trust is hacking your source code, /or/ if you
have evil translators sneaking in bogus translation strings.  The
latter can be solved with a verification step over your message
catalogs, while the former I leave as an exercise for the reader. :)

So still, I trust automatic interpolation of program vars for literal
strings, but for strings coming from some other source (e.g. a web
form), then yes, you obviously want to be explicit about the
interpolation dictionary.