On Jun 24, 2007, at 2:01 AM, Talin wrote: > The current design is a mid-point between Perl's interpolated > strings (which can contain arbitrary expressions), and C-style > printf. The guiding rule is to allow expressions which increase > convenience and expressiveness, and which are likely to be useful, > while disallowing most of the types of expressions which would be > likely to have side effects. Since this is Python, we can't > guarantee that there's no side effects, but we can make a pretty > good guess based on the assumption that most Python programmers are > reasonable and sane.
Of course it's a judgment call whether the benefit of being able to do attribute/item lookup within formatting expressions is "worth it". At very least it means I'll need to be more careful when supplying formatting arguments in order to prevent inappropriate data exposure. And I won't be able to allow untrusted users to compose plain strings with formatting expressions in them, at least without imposing some restricted execution model within the objects fed to the formatter. Zope currently does this inasmuch as it allows people to compose dnyamic TALES expressions, which is "safe" right now, but will become unsafe. Frankly I'd rather just not think about it, because leaving this feature out is way easier than dealing with restricted execution or coming up with a mini templating language to replace the current string formatting stuff, which works fine. But, that aside, at very least, we shouldn't restrict the names available to be looked up by default to those not starting with an underscore (for the reasons I mentioned in the original post in this thread). > > From an implementation standpoint, this is not where the complexity > lies. (The most complex part of the code is the part dealing with > details of conversion specifiers and formatting of numbers.) I know it's not very complex, I just don't believe it's terribly beneficial to have in the base string formatting implementation, and it's potentially harmful. Particularly to web programmers, at least to dumb ones like me. - C _______________________________________________ Python-3000 mailing list [email protected] http://mail.python.org/mailman/listinfo/python-3000 Unsubscribe: http://mail.python.org/mailman/options/python-3000/archive%40mail-archive.com
