On Sat, 26 Nov 2016 07:01 pm, Ian Kelly wrote: > When I read that Python 3.6 would include f-strings, I turned to the > coworker sitting next to me and said, "Oh my god, Python is adding yet > another new syntax for string formatting." It's getting to be a joke.
f-strings are not merely string formatting. They are a new syntax for evaluating arbitrary Python expressions, which then gets inserted into a string. In some ways, they're like the old Python 2 backtick syntax: py> `1 + len(str(5**4))` '4' except that you can automagically concatenate strings to the evaluated expressions. So-called f-strings haven't even hit the already been implicated in a code-injection vulnerability: http://bugs.python.org/issue28563 I feel kind of vindicated here, because when so-called f-strings were first proposed I asked about the security implication of another way of evaluating arbitrary expressions, and I was told that there were no security implications. Technically that might be true in the sense that f-strings don't do anything that wasn't already possible, but as the above bug shows, they can make exploiting code injection trivially easy in cases where they were previously diabolically hard. Yay for progress. -- Steve “Cheer up,” they said, “things could be worse.” So I cheered up, and sure enough, things got worse. -- https://mail.python.org/mailman/listinfo/python-list
