[Python-ideas] Re: Pre PEP: Python Literals (was custom strings before)
> > >>1. It is too verbose. Typing "conditional_escape(...)" again and >> again is cumbersome. >> >> from django import conditional_espace as esc > f'Hi {esc(name)}' > It's too bad that ␛ U+251B isn't a valid Python identifier. Then we could do it in one character :-) But as I keep saying, confusing new syntax to save a couple characters in calling an existing function is not a good thing. -- The dead increasingly dominate and strangle both the living and the not-yet born. Vampiric capital and undead corporate persons abuse the lives and control the thoughts of homo faber. Ideas, once born, become abortifacients against new conceptions. ___ Python-ideas mailing list -- python-ideas@python.org To unsubscribe send an email to python-ideas-le...@python.org https://mail.python.org/mailman3/lists/python-ideas.python.org/ Message archived at https://mail.python.org/archives/list/python-ideas@python.org/message/MHIKHVO6365C6HLLT53Q7FVQ5ULYXPBR/ Code of Conduct: http://python.org/psf/codeofconduct/
[Python-ideas] Re: Pre PEP: Python Literals (was custom strings before)
My bad, I had missed nesting template literals support in the PEP, it makes it interesting then! ___ Python-ideas mailing list -- python-ideas@python.org To unsubscribe send an email to python-ideas-le...@python.org https://mail.python.org/mailman3/lists/python-ideas.python.org/ Message archived at https://mail.python.org/archives/list/python-ideas@python.org/message/RI6TXNMI2NNWKZQO5FXVS76VI7ROMEXY/ Code of Conduct: http://python.org/psf/codeofconduct/
[Python-ideas] Re: Pre PEP: Python Literals (was custom strings before)
On Thu, Jun 10, 2021 at 4:07 PM Chris Angelico wrote: > > What's the advantage of htmx? When I want to build a good interactive > web site, my general pattern is a back end with a well-defined API, > and a front end in JavaScript that makes use of this API. That API is > usually going to be based on either a RESTful (or roughly REST-like) > JSON transactional system, or something like websockets, again > carrying JSON payloads. HTML is the realm of the display, not the back > end. > I use unpoly but the deal is the same: backend HTML rendering lets us leverage all sorts of meta programing, ie. add a field to a form and you don't have to change your presentation layer: the Form instance will automatically render a form field with all the necessary validation, ie. in case of a username field which must be unique in the database. -- ∞ ___ Python-ideas mailing list -- python-ideas@python.org To unsubscribe send an email to python-ideas-le...@python.org https://mail.python.org/mailman3/lists/python-ideas.python.org/ Message archived at https://mail.python.org/archives/list/python-ideas@python.org/message/2NFYDGMIC3SFXNX5B6DPI2NECJE7OCA6/ Code of Conduct: http://python.org/psf/codeofconduct/
[Python-ideas] Re: Pre PEP: Python Literals (was custom strings before)
On Thu, Jun 10, 2021 at 8:34 AM Thomas Güttler wrote: > > This solution has two drawbacks: > >1. It is too verbose. Typing "conditional_escape(...)" again and again >is cumbersome. > > from django import conditional_espace as esc f''' Hi {esc(name)} Your messages: {esc(messages)} ''' > >1. If a conditional_escape() gets forgotten Cross-site scripting >attacks could be possible, since malicious users could inject HTML. > > This is specific to Django and other frameworks out there which accept anything as user input by default, that's an anti-pattern which OWASP recommends against because obviously it opens a wide range of attack vectors, absolutely no security audit would ever validate the default validation of a CharField or a TextField. Another problem I see with this proposal is how do you actually use safe HTML in variables? msgs = [f'{msg}' for msg in messages] f''' Hi {name} Your messages: {msgs} ''' Will output: Hi Your name Your messages: liYour message/li Instead of what we would want in this situation: Hi Your name Your messages: Your message Otherwise good idea, it's an issue we have, even though the first immediate fix needed is Django's default input validation which is just openbar. ___ Python-ideas mailing list -- python-ideas@python.org To unsubscribe send an email to python-ideas-le...@python.org https://mail.python.org/mailman3/lists/python-ideas.python.org/ Message archived at https://mail.python.org/archives/list/python-ideas@python.org/message/AIXPNFZFTGKIVEVCFJMTLDGX2GI24EMQ/ Code of Conduct: http://python.org/psf/codeofconduct/