I think it's too much effort for too little gain. The motivation feels very weak; surely writing
os.system("echo " + message_from_user) is just as easy (as is the %s spelling), so the security issue can hardly be blamed on PEP 498. I also don't think that the current way to address such security issues is a big deal: - The subprocess module is complex for other reasons, and a simpler wrapper could easily be made; - Database wrappers have forever included their own solution for safely quoting query parameters, and people who still don't use that are not likely to care about i-strings either. - Logging: again, it's hard to beat the existing solution, which mostly comes down to using %r instead of %s for any user-supplied or otherwise unverified data. - HTML quoting is an art and I'm skeptical that the proposal will even work for that use case. -- --Guido van Rossum (python.org/~guido)
_______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com