On 24/06/07, Brett Cannon <[EMAIL PROTECTED]> wrote: > On 6/20/07, Greg Falcon <[EMAIL PROTECTED]> wrote: > > This sounds exactly right to me. I don't have strong feelings either > > way about attribute lookups in formatting strings, or the security > > problems they raise. But while it seems a reasonable stance that > > user-injected getattr()s may pose a security problem, what seems > > indefensible is the stance that user-injected getattr()s are okay > > precisely when the attribute being looked up doesn't start with an > > underscore. > > > > A single underscore prefix is a hint to human readers, not to the > > language itself, and things should stay that way. > > Since Talin said he wanted to see what others had to say, I am going > to say I agree with this sentiment. I want string formatting to be > dead-simple. That means either leaving out overly fancy formatting > abilities and keeping it simple, or make it very intuitive with as few > special cases as possible.
Again, I agree. I'd prefer to see attribute access stay, but I'm not too bothered, I'm very strongly against any restrictions based on the form of name. Count me as +0 on allowing a.b, and -1 on allowing a.b unless b contains leading underscores. Paul. _______________________________________________ Python-3000 mailing list [email protected] http://mail.python.org/mailman/listinfo/python-3000 Unsubscribe: http://mail.python.org/mailman/options/python-3000/archive%40mail-archive.com
