[Python-ideas] Re: Pre PEP: Python Literals (was custom strings before)
>
>
>>1. It is too verbose. Typing "conditional_escape(...)" again and
>> again is cumbersome.
>>
>> from django import conditional_espace as esc
> f'Hi {esc(name)}'
>
It's too bad that ␛ U+251B isn't a valid Python identifier. Then we could
do it in one character :-)
But as I keep saying, confusing new syntax to save a couple characters in
calling an existing function is not a good thing.
--
The dead increasingly dominate and strangle both the living and the
not-yet born. Vampiric capital and undead corporate persons abuse
the lives and control the thoughts of homo faber. Ideas, once born,
become abortifacients against new conceptions.
___
Python-ideas mailing list -- python-ideas@python.org
To unsubscribe send an email to python-ideas-le...@python.org
https://mail.python.org/mailman3/lists/python-ideas.python.org/
Message archived at
https://mail.python.org/archives/list/python-ideas@python.org/message/MHIKHVO6365C6HLLT53Q7FVQ5ULYXPBR/
Code of Conduct: http://python.org/psf/codeofconduct/
[Python-ideas] Re: Pre PEP: Python Literals (was custom strings before)
My bad, I had missed nesting template literals support in the PEP, it makes it interesting then! ___ Python-ideas mailing list -- python-ideas@python.org To unsubscribe send an email to python-ideas-le...@python.org https://mail.python.org/mailman3/lists/python-ideas.python.org/ Message archived at https://mail.python.org/archives/list/python-ideas@python.org/message/RI6TXNMI2NNWKZQO5FXVS76VI7ROMEXY/ Code of Conduct: http://python.org/psf/codeofconduct/
[Python-ideas] Re: Pre PEP: Python Literals (was custom strings before)
On Thu, Jun 10, 2021 at 4:07 PM Chris Angelico wrote: > > What's the advantage of htmx? When I want to build a good interactive > web site, my general pattern is a back end with a well-defined API, > and a front end in JavaScript that makes use of this API. That API is > usually going to be based on either a RESTful (or roughly REST-like) > JSON transactional system, or something like websockets, again > carrying JSON payloads. HTML is the realm of the display, not the back > end. > I use unpoly but the deal is the same: backend HTML rendering lets us leverage all sorts of meta programing, ie. add a field to a form and you don't have to change your presentation layer: the Form instance will automatically render a form field with all the necessary validation, ie. in case of a username field which must be unique in the database. -- ∞ ___ Python-ideas mailing list -- python-ideas@python.org To unsubscribe send an email to python-ideas-le...@python.org https://mail.python.org/mailman3/lists/python-ideas.python.org/ Message archived at https://mail.python.org/archives/list/python-ideas@python.org/message/2NFYDGMIC3SFXNX5B6DPI2NECJE7OCA6/ Code of Conduct: http://python.org/psf/codeofconduct/
[Python-ideas] Re: Pre PEP: Python Literals (was custom strings before)
On Thu, Jun 10, 2021 at 8:34 AM Thomas Güttler
wrote:
>
> This solution has two drawbacks:
>
>1. It is too verbose. Typing "conditional_escape(...)" again and again
>is cumbersome.
>
> from django import conditional_espace as esc
f'''
Hi {esc(name)}
Your messages: {esc(messages)}
'''
>
>1. If a conditional_escape() gets forgotten Cross-site scripting
>attacks could be possible, since malicious users could inject HTML.
>
> This is specific to Django and other frameworks out there which accept
anything as user input by default, that's an anti-pattern which OWASP
recommends against because obviously it opens a wide range of attack
vectors, absolutely no security audit would ever validate the default
validation of a CharField or a TextField.
Another problem I see with this proposal is how do you actually use safe
HTML in variables?
msgs = [f'{msg}' for msg in messages]
f'''
Hi {name}
Your messages: {msgs}
'''
Will output:
Hi Your name
Your messages: liYour message/li
Instead of what we would want in this situation:
Hi Your name
Your messages: Your message
Otherwise good idea, it's an issue we have, even though the first immediate
fix needed is Django's default input validation which is just openbar.
___
Python-ideas mailing list -- python-ideas@python.org
To unsubscribe send an email to python-ideas-le...@python.org
https://mail.python.org/mailman3/lists/python-ideas.python.org/
Message archived at
https://mail.python.org/archives/list/python-ideas@python.org/message/AIXPNFZFTGKIVEVCFJMTLDGX2GI24EMQ/
Code of Conduct: http://python.org/psf/codeofconduct/
