[Python-ideas] Briefer string format
Akira Li
4kir4.1i at gmail.com
Sat Aug 8 03:54:20 CEST 2015
Guido van Rossum <guido at python.org> writes:
> On Thu, Aug 6, 2015 at 10:35 PM, Wes Turner
> <wes.turner at gmail.com> wrote:
>
>>
>> On Aug 6, 2015 3:03 PM, "Guido van Rossum" <guido at python.org> wrote:
>> >
>> > Unfortunately, all spellings that require calling locals() are wrong.
>>
>> Is this where the potential source of surprising error is?
>>
>> * Explicit / Implicit locals()
>>
> This is a big deal because of the worry about code injection. A "classic"
> format string given access to locals() (e.g. using s.format(**locals()))
> always stirs worries about code injection if the string is a variable. The
> proposed forms of string interpolation don't give access to locals *other
> than the locals where the string "literal" itself exists*. This latter
> access is no different from the access to locals in any expression. (The
> same for globals(), of course.)
>
> The other issue with explicit locals() is that to the people who would most
> benefit from variable interpolation (typically relatively unsophisticated
> users), it is magical boilerplate. (Worse, it's boilerplate that their more
> experienced mentors will warn them against because of the code injection
> worry.)
Googling e.g., "python locals code injection" yields nothing specific:
http://stackoverflow.com/questions/2515450/injecting-variables-into-the-callers-scope
http://stackoverflow.com/questions/13312240/is-a-string-formatter-that-pulls-variables-from-its-calling-scope-bad-practice
Could you provide an example what is wrong with
"{a}{b}".format(**vars())?
Is it correct to say that there is nothing wrong with it as long as the
string is always a *literal*?
More information about the Python-ideas
mailing list