[Python-3000] Issues with PEP 3101 (string formatting)

Chris McDonough chrism at plope.com
Sun Jun 24 08:32:13 CEST 2007 

On Jun 24, 2007, at 2:01 AM, Talin wrote:
> The current design is a mid-point between Perl's interpolated  
> strings (which can contain arbitrary expressions), and C-style  
> printf. The guiding rule is to allow expressions which increase  
> convenience and expressiveness, and which are likely to be useful,  
> while disallowing most of the types of expressions which would be  
> likely to have side effects. Since this is Python, we can't  
> guarantee that there's no side effects, but we can make a pretty  
> good guess based on the assumption that most Python programmers are  
> reasonable and sane.

Of course it's a judgment call whether the benefit of being able to  
do attribute/item lookup within formatting expressions is "worth  
it".  At very least it means I'll need to be more careful when  
supplying formatting arguments in order to prevent inappropriate data  
exposure.  And I won't be able to allow untrusted users to compose  
plain strings with formatting expressions in them, at least without  
imposing some restricted execution model within the objects fed to  
the formatter.  Zope currently does this inasmuch as it allows people  
to compose dnyamic TALES expressions, which is "safe" right now, but  
will become unsafe.  Frankly I'd rather just not think about it,  
because leaving this feature out is way easier than dealing with  
restricted execution or coming up with a mini templating language to  
replace the current string formatting stuff, which works fine.

But, that aside, at very least, we shouldn't restrict the names  
available to be looked up by default to those not starting with an  
underscore (for the reasons I mentioned in the original post in this  
thread).

>
> From an implementation standpoint, this is not where the complexity  
> lies. (The most complex part of the code is the part dealing with  
> details of conversion specifiers and formatting of numbers.)

I know it's not very complex, I just don't believe it's terribly  
beneficial to have in the base string formatting implementation, and  
it's potentially harmful.  Particularly to web programmers, at least  
to dumb ones like me.

- C

More information about the Python-3000 mailing list