[Python-ideas] String interpolation for all literal strings
Wes Turner
wes.turner at gmail.com
Thu Aug 6 21:25:02 CEST 2015
On Thu, Aug 6, 2015 at 2:02 PM, Wes Turner <wes.turner at gmail.com> wrote:
>
>
> On Wed, Aug 5, 2015 at 8:58 PM, Terry Reedy <tjreedy at udel.edu> wrote:
>
>> On 8/5/2015 3:34 PM, Yury Selivanov wrote:
>>
>> '\{..}' feels unbalanced and weird.
>>>
>>
>> Escape both. The closing } is also treated specially, and not inserted
>> into the string. The compiler scans linearly from left to right, but human
>> eyes are not so constrained.
>>
>> s = "abc\{kjljid some long expression jk78738}def"
>>
>> versus
>>
>> s = "abc\{kjljid some long expression jk78738\}def"
>>
>> and how about
>>
>> s = "abc\{kjljid some {long} expression jk78738\}def"
>
>
> +1: escape \{both\}.
>
> Use cases where this is (as dangerous as other string interpolation
> methods):
>
> * Shell commands that should be shlex-parsed/quoted
> * (inappropriately, programmatically) writing
> code with manually-added quotes ' and doublequotes "
> * XML,HTML,CSS,SQL, textual query language injection
> * Convenient, but dangerous and IMHO much better handled
> by e.g. MarkupSafe, a DOM builder, a query ORM layer
>
> Docs / Utils:
>
> * [ ] ENH: AST scanner for these (before i do __futre__ import)
> * [ ] DOC: About string interpolation, in general
>
BTW here's a PR to add subprocess compat to sarge (e.g. for sarge.run)
*
https://bitbucket.org/vinay.sajip/sarge/pull-requests/1/enh-add-call-check_call-check_output
*
https://sarge.readthedocs.org/en/latest/overview.html#why-not-just-use-subprocess
* https://cwe.mitre.org/top25/
* #1: https://cwe.mitre.org/top25/#CWE-89 SQL Injection
* #2: https://cwe.mitre.org/top25/#CWE-78 OS Command injection
* ....
>
>
>>
>>
>>
>>
>>
>> --
>> Terry Jan Reedy
>>
>>
>> _______________________________________________
>> Python-ideas mailing list
>> Python-ideas at python.org
>> https://mail.python.org/mailman/listinfo/python-ideas
>> Code of Conduct: http://python.org/psf/codeofconduct/
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-ideas/attachments/20150806/ebedb604/attachment.html>
More information about the Python-ideas
mailing list