I think it's too much effort for too little gain.
The motivation feels very weak; surely writing
os.system("echo " + message_from_user)
is just as easy (as is the %s spelling), so the security issue can hardly
be blamed on PEP 498.
I also don't think that the current way to address such security issues is
a big deal:
- The subprocess module is complex for other reasons, and a simpler wrapper
could easily be made;
- Database wrappers have forever included their own solution for safely
quoting query parameters, and people who still don't use that are not
likely to care about i-strings either.
- Logging: again, it's hard to beat the existing solution, which mostly
comes down to using %r instead of %s for any user-supplied or otherwise
unverified data.
- HTML quoting is an art and I'm skeptical that the proposal will even work
for that use case.
--
--Guido van Rossum (python.org/~guido)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20150904/63dc2948/attachment.html>
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4