On 29/04/23 6:59 am, Bruce Leban wrote:
To take this further, suppose you write 'Hello {username} from {company}'.format(userdata).format(companydata) where the user has set their name to "Dr. {secret} Evil" where {secret} is something in companydata that should not be exposed.
More generally, a format string should be treated as code, and doing anything that could result in untrusted user data being treated as code is a Bad Idea. -- Greg _______________________________________________ Python-ideas mailing list -- python-ideas@python.org To unsubscribe send an email to python-ideas-le...@python.org https://mail.python.org/mailman3/lists/python-ideas.python.org/ Message archived at https://mail.python.org/archives/list/python-ideas@python.org/message/55PB23XWOLEGM7OWEGPH7ZVAK7MWRIFE/ Code of Conduct: http://python.org/psf/codeofconduct/
