[Python-ideas] [Python-Dev] PEP-498: Literal String Formatting
Joonas Liik
liik.joonas at gmail.com
Tue Aug 11 21:25:27 CEST 2015
I would rather think of this as an opportunity to help avoid injection
vectors.
if there was a separate.. . interpolation provider ..
then something like
os.system('dosomething {a} {b} {c}'.format(...))
could be written as ( !cmd here being a special type of f-string that does
command line escaping, borrowing syntax from another thread a few days
ago..)
os.sytem(!cmd'dosomething {a} {b} {c}')
This is both shorter and more resilient to injections.
Essentially it feels like you annotate a string as "this will be executed
on the command line" and the interpolation adapts.
this would make doing the right thing the same as doing the easy thing and
this would be good overall, no?
I don't know about you, but i dont know by heart how to escape arbitrary
user input and deal with all of the corner cases.
yes, you can do this more safely with Popen.. but that is quite a bit more
effort.
also often times there is no such alternative or it is very unweildy (sql
land this happens more often)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-ideas/attachments/20150811/76cdf7ea/attachment.html>
More information about the Python-ideas
mailing list