This is a response in part to Thomas Güttler's "Pre PEP: Python Literals"
but I am starting a separate thread because I think it deserves separate
discussion, and it's not a direct response to that proposal.
Here's the problem: we want to allow escaping in strings to prevent
injection in HTML, SQL, etc.
Proposed solutions generally concentrate on a new kind of escaped format
string. I won't go into detail on why I don't like these ideas because
others have already covered that ground.
Instead, here's what I think is a better solution: a mechanism to allow
formatting with html and sql escaping.
Specifically, I suggest these changes:
(1) Modify string formatting (str.format and f-strings) to add new
conversions !html !sql !xml, which escape characters for embedding in html,
sql, and xml respectively.**
(2) Modify string formatting to allow these new conversions to be added to
the current conversions, e.g. !s!html.
(3) Modify string formatting to add a new syntax that specifies a
conversion to use for all subsequent interpolations. The proposed syntax is
a replacement_field that starts with two exclamation points. The
replacement field itself expands to nothing and only affects the conversion
of subsequent fields. Thus
f"{!!html}<a href='{url}'>{text!r}</a>"
is equivalent to
f"<a href='{url!html}'>{text!r!html}</a>"
A replacement field of {!!} resets the default conversion.
Yes, this is more typing than t-strings or backticks but EIBTI. And I
believe this expands on existing format functions in a way that will be
much more clear to someone encountering this new mechanism. And it's more
flexible as it allows more granular control of escaping as in this example:
f"""
<h1>{title!html}</h1>
<p>{pre_rendered_html_body}</p>
"""
**It's unclear if there's any functional benefit of having both html and
xml encoding other than clarity of usage. Also, it would be nice to have a
mechanism for adding additional conversions but I don't want to complicate
the discussion at this point. Are there other standard escape mechanisms
that would be worth including?
--- Bruce
_______________________________________________
Python-ideas mailing list -- python-ideas@python.org
To unsubscribe send an email to python-ideas-le...@python.org
https://mail.python.org/mailman3/lists/python-ideas.python.org/
Message archived at
https://mail.python.org/archives/list/python-ideas@python.org/message/IJ7DAMTCBJQD5UEAV444DG5GALYN3U6C/
Code of Conduct: http://python.org/psf/codeofconduct/
