[Tutor] pythonic
Steven D'Aprano
steve at pearwood.info
Mon Apr 2 19:48:18 EDT 2018
On Mon, Apr 02, 2018 at 04:28:10PM +0200, Peter Otten wrote:
> > They look like string constants, but they're actually a hidden call to
> > eval().
>
> But because you cannot f-ify a string variable (without an additional eval()
> call) you aren't tempted to feed them user-provided data.
If only that were the case...
https://mail.python.org/pipermail/python-list/2018-March/731967.html
He reads f-strings from user-supplied data, then evals them.
But its okay, he's only doing it within his own organisation, and we all
know that "insiders" are always 100% trusted. "Insider attack" is just a
pair of words. Right?
> As I'm getting tired of writing
>
> "...{foo}...{bar}...".format(foo=foo, bar=bar, ...)
You can write:
template.format(**(locals()))
or possibly nicer still:
template.format_map(locals())
--
Steve
More information about the Tutor
mailing list