[Python-ideas] String interpolation for all literal strings
Eric V. Smith
eric at trueblade.com
Thu Aug 6 21:44:21 CEST 2015
On 08/06/2015 03:02 PM, Wes Turner wrote:
>
>
> On Wed, Aug 5, 2015 at 8:58 PM, Terry Reedy <tjreedy at udel.edu
> <mailto:tjreedy at udel.edu>> wrote:
>
> On 8/5/2015 3:34 PM, Yury Selivanov wrote:
>
> '\{..}' feels unbalanced and weird.
>
>
> Escape both. The closing } is also treated specially, and not
> inserted into the string. The compiler scans linearly from left to
> right, but human eyes are not so constrained.
>
> s = "abc\{kjljid some long expression jk78738}def"
>
> versus
>
> s = "abc\{kjljid some long expression jk78738\}def"
>
> and how about
>
> s = "abc\{kjljid some {long} expression jk78738\}def"
>
>
> +1: escape \{both\}.
>
> Use cases where this is (as dangerous as other string interpolation
> methods):
>
> * Shell commands that should be shlex-parsed/quoted
> * (inappropriately, programmatically) writing
> code with manually-added quotes ' and doublequotes "
> * XML,HTML,CSS,SQL, textual query language injection
> * Convenient, but dangerous and IMHO much better handled
> by e.g. MarkupSafe, a DOM builder, a query ORM layer
>
> Docs / Utils:
>
> * [ ] ENH: AST scanner for these (before i do __futre__ import)
> * [ ] DOC: About string interpolation, in general
I don't understand what you're trying to say.
os.system("cp \{cmd}")
is no better or worse than:
os.system("cp " + cmd)
Yes, there are lots of opportunities in the world for injection attacks.
This proposal doesn't change that. I don't see how escaping the final }
changes anything.
Eric.
More information about the Python-ideas
mailing list