XML Considered Harmful
Dan Stromberg
drsalists at gmail.com
Thu Sep 23 23:44:32 EDT 2021
On Thu, Sep 23, 2021 at 8:12 PM Chris Angelico <rosuav at gmail.com> wrote:
> One good hybrid is to take a subset of Python syntax (so it still
> looks like a Python script for syntax highlighting etc), and then
> parse that yourself, using the ast module. For instance, you can strip
> out comments, then look for "VARNAME = ...", and parse the value using
> ast.literal_eval(), which will give you a fairly flexible file format
> that's still quite safe.
>
Restricting Python with the ast module is interesting, but I don't think
I'd want to bet my career on the actual safety of such a thing. Given that
Java bytecode was a frequent problem inside web browsers, imagine all the
messiness that could accidentally happen with a subset of Python syntax
from untrusted sources.
ast.literal_eval might be a little better - or a list of such, actually.
Better still to use JSON or ini format - IOW something designed for the
purpose.
More information about the Python-list
mailing list