Thanks for the comments, Paul and Paul.
On Sun, Jun 27, 2021 at 1:14 AM Paul Moore <p.f.mo...@gmail.com> wrote:
> On Sun, 27 Jun 2021 at 08:11, Paul Bryan <pbr...@anode.ca> wrote:
> >
> > It looks like you're suggesting hard-coding specific language escape
> conventions into f-strings?
>
> That's how I understood the proposal too. Hard coding specific
> conventions shouldn't be part of a language construct IMO.
>
Yes, I am. I understand the objection that the language shouldn't know too
much about html or sql. My viewpoint is that injection attacks have been on
the OWASP Top Ten list since the inception of that list and it is unlikely
that it's going to fall off the top ten anytime soon. In my opinion
"practicality beats purity". There's a reason why many template languages
include built-in escaping operators.
> What if instead you were to allow delegation to some filter function?
> Then, it's generic and extensible.
>
> > def html(value: Any):
> > filtered = ... # filter here
> > return filtered
> >
> > f'{!!html}<a href="{url}">...<a>'
>
As I mentioned in a footnote, a mechanism for adding conversions would be
advantageous. The specific mechanism you describe would work for f-strings
but not work for str.format. Furthermore, someone reading my suggested
{!!html}} would know what it meant while someone reading yours would have
to go read the referenced function to be sure what it did. I'm not against
such a mechanism. I'm just not sure it sufficiently addresses the injection
risk.
Well, there's already a way of handling that:
>
> f'<a href="{html(url)}">...<a>'
>
That does not work for str.format, only for f-strings.
So all you're saving is a bit of typing.
I believe that this provides more clarity than your version, which of
course, I am already aware of. I also know that people are much more likely
to remember to add a single {!!html} at the front of each template than to
add {html()} everywhere. Furthermore, projects could adopt a convention of
marking all html strings (because EIBTI) and have a linter flag strings
that did not include {!!html}} or {!!}.
--- Bruce
_______________________________________________
Python-ideas mailing list -- python-ideas@python.org
To unsubscribe send an email to python-ideas-le...@python.org
https://mail.python.org/mailman3/lists/python-ideas.python.org/
Message archived at
https://mail.python.org/archives/list/python-ideas@python.org/message/KHS7GN24VNEP7GZZ4O3GC3W6KLISMC6A/
Code of Conduct: http://python.org/psf/codeofconduct/
