[Python-ideas] Briefer string format

Sat Aug 8 05:26:11 CEST 2015

> Could you provide an example what is wrong with
"{a}{b}".format(**vars())?

>>> ["{a}{b}".format(**vars()) for _ in range(1)]

Comprehensions have their own scope. This needs to be a compile-time transform into a normal variable lookup.

Cheers,
Steve

Top-posted from my Windows Phone
________________________________
From: Akira Li<mailto:4kir4.1i at gmail.com>
Sent: ‎8/‎7/‎2015 18:55
To: python-ideas at python.org<mailto:python-ideas at python.org>
Subject: Re: [Python-ideas] Briefer string format

Guido van Rossum <guido at python.org> writes:

> On Thu, Aug 6, 2015 at 10:35 PM, Wes Turner
> <wes.turner at gmail.com> wrote:
>
>>
>> On Aug 6, 2015 3:03 PM, "Guido van Rossum" <guido at python.org> wrote:
>> >
>> > Unfortunately, all spellings that require calling locals() are wrong.
>>
>> Is this where the potential source of surprising error is?
>>
>> * Explicit / Implicit locals()
>>
> This is a big deal because of the worry about code injection. A "classic"
> format string given access to locals() (e.g. using s.format(**locals()))
> always stirs worries about code injection if the string is a variable. The
> proposed forms of string interpolation don't give access to locals *other
> than the locals where the string "literal" itself exists*. This latter
> access is no different from the access to locals in any expression. (The
> same for globals(), of course.)
>
> The other issue with explicit locals() is that to the people who would most
> benefit from variable interpolation (typically relatively unsophisticated
> users), it is magical boilerplate. (Worse, it's boilerplate that their more
> experienced mentors will warn them against because of the code injection
> worry.)

Googling e.g., "python locals code injection" yields nothing specific:

https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fstackoverflow.com%2fquestions%2f2515450%2finjecting-variables-into-the-callers-scope&data=01%7c01%7csteve.dower%40microsoft.com%7ceb455eb18c7b4fe4c47b08d29f947ec5%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=WJJTSsqvRuTy9ZCKgDPNfqp8rC2032i%2fudmnZ%2bG%2bMZg%3d
https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fstackoverflow.com%2fquestions%2f13312240%2fis-a-string-formatter-that-pulls-variables-from-its-calling-scope-bad-practice&data=01%7c01%7csteve.dower%40microsoft.com%7ceb455eb18c7b4fe4c47b08d29f947ec5%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=RZKdUQiJRzlp%2bikOPERDJzX8facaBRWuf1brLXy0D6M%3d

Could you provide an example what is wrong with
"{a}{b}".format(**vars())?

Is it correct to say that there is nothing wrong with it as long as the
string is always a *literal*?

_______________________________________________
Python-ideas mailing list
Python-ideas at python.org
https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fmail.python.org%2fmailman%2flistinfo%2fpython-ideas&data=01%7c01%7csteve.dower%40microsoft.com%7ceb455eb18c7b4fe4c47b08d29f947ec5%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=Rwn2JLTjmWxnzx%2bp0zixk8gQprBYF3mcp8a%2fUhio1mY%3d
Code of Conduct: https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fpython.org%2fpsf%2fcodeofconduct%2f&data=01%7c01%7csteve.dower%40microsoft.com%7ceb455eb18c7b4fe4c47b08d29f947ec5%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=DmWW4wAFmzYnI%2beEZSJcMVMgxGAojWSxyxP%2bVsusPfY%3d
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-ideas/attachments/20150808/722ee874/attachment.html>