[Python-Dev] Re: PEP 292, Simpler String Substitutions
Barry A. Warsaw
barry@zope.com
Sat, 22 Jun 2002 21:45:42 -0400
>>>>> "CT" == Christian Tismer <tismer@tismer.com> writes:
CT> If there are program variables directly accessible inside
CT> strings to be interpolated, then I see possible abuse, if
CT> abusers manage to supply such a string in an unforeseen way.
For literal strings in .py files, the only way that's going to happen
is if someone you don't trust is hacking your source code, /or/ if you
have evil translators sneaking in bogus translation strings. The
latter can be solved with a verification step over your message
catalogs, while the former I leave as an exercise for the reader. :)
So still, I trust automatic interpolation of program vars for literal
strings, but for strings coming from some other source (e.g. a web
form), then yes, you obviously want to be explicit about the
interpolation dictionary.
-Barry