[Python-Dev] proposal: evaluated string

tomer filiba tomerfiliba at gmail.com
Thu Apr 20 20:23:04 CEST 2006 

>
> We already have a slew of templating utilities (see Cheetah for example).
>
first of all -- i know there's a bunch of templating engines, but i think it
should be a
built-in feature of the language. like boo does. and estr is stronger than
simple
$name substitution, like Template does.

Be sure to stay aware of the security risks if the fill-in values are user
> specified.
>
that's one major benefit of having it as a builtin type -- you dont have
security risks,
as the expression itself is embedded in your code, not something you get
from the
outside:

name = raw_input("what's you name?")
print e"hello {name}"

does not get the *expression* from the user, only the *values*, so unless
the user
causes a buffer overflow with a huge string, he can't run code. the estr
object is part
of *your* code, which you trust.

If you need this, then consider using a third-party templating module.
>
that 50-liner estr class i presented does just that.

Using the key twice is basic to templating (once of specify where to
> make the substitution and once to specify its value).  This is no
> different from using variable names in regular code:   a=1; ... ; b =
> a+2  # variable-a is used twice.
>
but when it's defined once as an argument to a function, once in the
template,
and once in the dict, that's three times, where it can be only two.

def f(name):
    print e"hello {name}"

Also, the example is misleading because real-apps are substitute
> variables, not constants.  IOW, the above code fragment is sematically
> equivalent to:  print "hello john".


what do you mean by that?

3) it is less
> flexible than  the class constructor which can be subclassed and
> extended as needed.
>
do you often subclass str? it's a built-in type, part of the language,
subclassing it doesnt
make much sense. after all it's the language compiler that instanciates
these types, i.e.,
when you do "hello", the compiler creates an instance of str() with that
value, not you
directly, and that's the case here.


-tomer

On 4/20/06, Raymond Hettinger <rhettinger at ewtllc.com> wrote:
>
>
> >
> >If you don't like the $name style of template markup and prefer
> >delimiters instead, then check-out the recipe at:
> >
> >    http://aspn.activestate.com/ASPN/Cookbook/Python/Recipe/3053
> >
> >
> The link should have been:
>
>    http://aspn.activestate.com/ASPN/Cookbook/Python/Recipe/305306
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.python.org/pipermail/python-dev/attachments/20060420/4b316d68/attachment.htm

More information about the Python-Dev mailing list