On Thu, Sep 23, 2021 at 8:12 PM Chris Angelico <ros...@gmail.com> wrote:
> One good hybrid is to take a subset of Python syntax (so it still > looks like a Python script for syntax highlighting etc), and then > parse that yourself, using the ast module. For instance, you can strip > out comments, then look for "VARNAME = ...", and parse the value using > ast.literal_eval(), which will give you a fairly flexible file format > that's still quite safe. > Restricting Python with the ast module is interesting, but I don't think I'd want to bet my career on the actual safety of such a thing. Given that Java bytecode was a frequent problem inside web browsers, imagine all the messiness that could accidentally happen with a subset of Python syntax from untrusted sources. ast.literal_eval might be a little better - or a list of such, actually. Better still to use JSON or ini format - IOW something designed for the purpose. -- https://mail.python.org/mailman/listinfo/python-list
