[Python-ideas] extensible template strings
Steven D'Aprano
steve at pearwood.info
Thu Aug 20 02:28:32 CEST 2015
On Wed, Aug 19, 2015 at 08:15:05PM -0400, Eric V. Smith wrote:
> On 8/19/2015 7:43 PM, Guido van Rossum wrote:
> > How important is it really to *hide* the fact that this involves a
> > function call?
>
> The only reason PEPs 498 and 501, and by extension Yuri's proposal, have
> any difference over a function call is the ability to evaluate the
> embedded expressions in the local context, before the function is
> called.
Isn't that exactly what a normal function call does?
func(expr)
evaluates expr in the local context before the function is called.
> I agree that if it were just about hiding a function call, it
> wouldn't be interesting at all.
>
> But just as:
> f'My name is {name}'
>
> is arguably an improvement over:
> 'My name is {0}'.format(name)
>
> So too would:
> sql'select {columns} from {table}'
>
> be easier to read than:
> sql.run('select {} from {}', columns, table)
Yuri linked to the Javascript reference for this feature, which
explicitly warns that "template strings" are a security risk:
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/template_strings
It looks to me that the sql'...' version above is trivially vunerable to
code injection attacks.
--
Steve
More information about the Python-ideas
mailing list