Eric V. Smith <e...@trueblade.com> added the comment:
> str.format, string.Formatter, and the _string module can only > parse literal keys, not expressions, despite appearing to take the > same syntax as f-strings. I'm happy to contribute code to change > this, but unsure if it's considered a bug or feature (now that we're > past feature freeze for 3.8). I would love to see these converge to > prevent confusion and let us document in just one place. It's a feature that str.format does not accept expressions. If it did, it would: 1: require compiler support (eval isn't good enough) 2: be a security hole magnet I think both of these are sufficiently strong arguments that I won't support making expressions work in str.format(). For the security hole, you don't want: user_provided_string.format() to be able to execute arbitrary code. You're basically eval-ing (parts of) strings, and everyone would suddenly have to audit all of their code to make sure there are no security holes exposed. ---------- versions: -Python 3.8 _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue37341> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
