[Python-Dev] PEP 215 redux: toward a simplified consensus? (original) (raw)

Paul Prescod paul@prescod.net
Mon, 25 Feb 2002 15:19:06 -0800

• Previous message: [Python-Dev] PEP 215 redux: toward a simplified consensus?
• Next message: [Python-Dev] PEP 215 redux: toward a simplified consensus?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Guido van Rossum wrote:

There are two entirely different potential uses for interpolation. One is for the Python programmer; call this literal interpolation.

True!

... A totally different use of interpolation is for templates, where both the template (any data containing the appropriate $ syntax) and the set of variables to be substituted (any mapping) should be under full control of the program. This is what mailmail needs.

True!

But we've already got a solution for this. Is there something wrong with it? I guess I don't know what problem we're trying to solve. My only interest in interpolation was to make the common, simple case easier.

Literal interpolation has no security issues, if done properly. In the latter use, the security issues can be taken care of by carefully deciding what data is available in the set of variables to be interpolated. The interpolation syntax I've proposed is intentionally very simple, so that this is relatively easy. I recall seeing slides at the conference of a templating system (maybe Twisted's?) that allowed expressions like $foo.bar[key] which would be much harder to secure.

I'm not attached enough to fight for these but I'll re-emphasize your implicit point that these are entirely secure if used in literal interpolation.

I18n of templates is easy -- just look up the template string in the translation database.

I18n of apps using literal interpolation is more of a can of worms, and I have no clear solution. I agree that a solution is needed -- otherwise literal interpolation would be worse than what we have now!

You translate them from compile time interpolation to runtime by removing a $ and replacing it by a function call.

a = "Mynameis"My name is "Mynameisname"

becomes:

a = interp(_("My name is $name"))

But of course it is trivial to make the last line of '_' return interp(rc) so that the client doesn't have to do it.

Paul Prescod

• Previous message: [Python-Dev] PEP 215 redux: toward a simplified consensus?
• Next message: [Python-Dev] PEP 215 redux: toward a simplified consensus?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]