On 8/11/2015 11:28, Wes Turner wrote:
>
>
> On Aug 11, 2015 10:19 AM, "Wes Turner" <wes.turner at gmail.com
> <mailto:wes.turner at gmail.com>> wrote:
>
> - [ ] review all string interpolation (for "injection")
> * [ ] review every '%'
> * [ ] review every ".format()"
> * [ ] review every f-string (AND LOCALS AND GLOBALS)
> * every os.system, os.exec*, subprocess.Popen
> * every unclosed tag
> * every unescaped control character
>
> This would create work we don't need.
>
> Solution: __str_shell_ escapes, adds slashes, and quotes. __str__SQL__
> refs a global list of reserved words.
>
I don't understand why % and .format got interjected into this.
If you are mentioning them as 'get the unprocessed version of any string
formatting', that is a bad idea, and not needed, since you already have
an unprocessed string object. Assuming the method were named
"hypothetical":
>>> 'foo bar'.hypothetical() # returns 'foo bar'
>>> '{0} bar'.format('foo').hypothetical() # returns 'foo bar'
>>> ('%s bar' % ('foo',)).hypothetical() # returns 'foo bar'
>>> f'{foo} bar'.hypothetical() # returns '{foo} bar', prime for
translation.
could gettext not be modified to create the same AST as f'{foo} bar'
when it is translated to '{foo} le bar.' and inject it back into the
runtime?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20150811/09ed49fc/attachment.html>
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4