[Python-ideas] Briefer string format
Nick Coghlan
ncoghlan at gmail.com
Tue Jul 21 15:05:45 CEST 2015
On 21 July 2015 at 21:58, Eric V. Smith <eric at trueblade.com> wrote:
> [1] Which makes me think of the crazy idea of passing in unevaluated
> f-strings in to another function to be evaluated in their context. But
> the code injection opportunities with doing this with arbitrary
> user-specified strings are just too scary to think about. At least with
> str.format() you're limited in to what the expressions can do. Basically
> indexing and attribute access. No function calls: '{.exit()}'.format(sys) !
Yeah, this is why I think anything involving implicit interpolation
needs to be transparent to the compiler: the security implications
with anything other than literal format strings or some other
explicitly compile time operation are far too "exciting" otherwise.
I wonder though, if we went with the f-strings idea, could we make
them support a *subset* of the "str.format" call syntax, rather than a
superset? What if they supported name and attribute lookup syntax, but
not positional or subscript lookup?
They'd still be a great for formatting output in scripts and debugging
messages, but more complex formatting cases would still involve
reaching for str.format, str.format_map or exec("print(f'{this} is an
odd way to do a {format_map} call')", namespace).
Regards,
Nick.
--
Nick Coghlan | ncoghlan at gmail.com | Brisbane, Australia
More information about the Python-ideas
mailing list