On Mon, Apr 02, 2018 at 04:28:10PM +0200, Peter Otten wrote: > > They look like string constants, but they're actually a hidden call to > > eval(). > > But because you cannot f-ify a string variable (without an additional eval() > call) you aren't tempted to feed them user-provided data.
If only that were the case... https://mail.python.org/pipermail/python-list/2018-March/731967.html He reads f-strings from user-supplied data, then evals them. But its okay, he's only doing it within his own organisation, and we all know that "insiders" are always 100% trusted. "Insider attack" is just a pair of words. Right? > As I'm getting tired of writing > > "...{foo}...{bar}...".format(foo=foo, bar=bar, ...) You can write: template.format(**(locals())) or possibly nicer still: template.format_map(locals()) -- Steve _______________________________________________ Tutor maillist - Tutor@python.org To unsubscribe or change subscription options: https://mail.python.org/mailman/listinfo/tutor