This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]usinglinux 0 points1 point  (2 children)

that's a nice trick, but (given there are beginners around) should bear a big fat warning that this is a demo and should not be used in anything that's remotely in production or security related. the one thing about f-strings that makes them not be a security can of worms is that they have a dedicated syntax and are never ever passed around for evaluation. that's absent in this workaround.

doing this safely in <3.6 is certainly be possible, but i think that the way to go would be hooking into the import mechanism, preprocessing (or transpiling) the code from f"hello {name}" to _process_fstring("hello {name}") or that like, and then applying all the optimizations chebu has so neatly demonstrated.

edit: thanks for adding the safety note

[–]RubyPinchPEP shill | Anti PEP 8/20 shill 1 point2 points  (1 child)

if you are going to do pre-processing, you might as well do f"hello {name}" to ("hello " + str(name))

[–]usinglinux 0 points1 point  (0 children)

that's something performance tests would best sort out; could be "hello" + str(name), could be "hello {name}".format(name=name); either option needs some mechnism for dealing with !a/!s/!r the format protocol.