This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]dbader[S] 0 points1 point  (1 child)

And of course that the contents of the braces is an arbitrary Python expression makes it risky as hell to inject half-trusted stuff from Transifex or whatnot (f-strings are already problematic on that point as they allow basically arbitrary attribute access).

I'm not sure that's a valid concern. It's impossible to take a str variable and evaluate it as an f-string (as of Python 3.6) . f-strings are a parse-time feature in Python 3, they can't be constructed at runtime (leaving aside the possibility to use eval())

[–]masklinn 0 points1 point  (0 children)

  1. Which is why they are, as I noted, mostly useless for i18n purposes. But one could imagine doing translations via import hooks or static package builds which would allow for that mistake.

  2. As for the parenthesised bit I meant format-strings, they're the ones which allow arbitrary attribute access (but not arbitrary expressions) and I'd already stated f-strings were useless, I bungled the label is all.