[Python-ideas] Draft PEP on string interpolation
Nick Coghlan
ncoghlan at gmail.com
Fri Aug 21 13:49:28 CEST 2015
On 21 August 2015 at 21:06, Nathaniel Smith <njs at pobox.com> wrote:
> On Aug 20, 2015 23:40, "Nick Coghlan" <ncoghlan at gmail.com> wrote:
>>
> [...]
>> myquery = i"SELECT $column FROM $table;"
>> mycommand = i"cat $filename"
>> mypage = i"<html><body>$content</body></html>"
>>
>> It's the opposite of the "interpolating untrusted strings that may
>> contain aribtrary expressions" problem - what happens when the
>> variables being *substituted* are untrusted? It's easy to say "don't
>> do that", but if doing the right thing incurs all the repetition
>> currently involved in calling str.format, we're going to see a *lot*
>> of people doing the wrong thing. At that point, the JavaScript
>> backticks-with-arbitrary-named-callable solution starts looking very
>> attractive:
>>
>> myquery = sql`SELECT $column FROM $table;`
>> mycommand = sh`cat $filename`
>> mypage = html`<html><body>$content</body></html>`
>
> Surely if using backticks we would drop the ugly prefix syntax and just make
> it a function call?
Not really, no, as `obj` already means repr(obj) in Python 2, and we
can't silently make it do something else in Python 3 (although we can
break it noisily and thus strongly encourage folks to switch to using
the builtin instead).
The attractiveness of "little bobby tables" [1] vulnerabilities with
an interpolation syntax that *doesn't* support custom interpolation
engines has switched me from being mildly interested in the idea of
good support for SQL, shell command and HTML generation to considering
it a necessary capability, though.
Cheers,
Nick.
[1] https://xkcd.com/327/
--
Nick Coghlan | ncoghlan at gmail.com | Brisbane, Australia
More information about the Python-ideas
mailing list