durusmail: quixote-users: Support $-substitution in templates
Support $-substitution in templates
2004-12-14
Oscar Rambla
2004-12-14
David Binger
2004-12-14
Tom Tobin
2004-12-14
Skip Montanaro
2004-12-16
David Binger
2004-12-16
Mike Orr
2004-12-17
Oscar Rambla
2004-12-17
Graham Fawcett
2004-12-14
Mike Orr
2005-01-01
Neil Schemenauer
2005-01-01
David Binger
2004-12-14
Oscar Rambla
Support $-substitution in templates
Neil Schemenauer
2005-01-01
On Tue, Dec 14, 2004 at 01:43:54PM -0500, David Binger wrote:
> The 2.0a3 ptl compiler essentially replaces '$foo' with '"%(foo)s"
> % vars()'.  Does anyone like or dislike this feature?

I think we should take it out completely.  There are two major
problems with this feature.  First, since it only allows
substitution from variables, not expressions, I find I often need to
use the % operator.  Second, using a $-substitution causes a literal
string to become a non-literal value.  That leads to some surprises.
For example, the following code could be incorrect:

    '$x %s' % y

For example, if 'x' sometimes contains a '%' character then you will
sometimes get an exception.  A more dangerous (although more
unlikely) example:

    '$x %(y)s' % somedict

It's a potential security problem (for example, if the result is
visible to attackers, they can control 'x' and if 'y' contains
senstive information).

Making it an optional feature still leaves a trap for the Quixote
programmer, IMHO.

  Neil
reply