Remix clone Hacker News

So now you are repeating the name of each interpolated value three times (once in the template string, once for the key in the dict, once for the actual value).

Yes, you can do that, but a t-string is much more ergonomic, and IMO, more readable .

▲ bjourne 8 days ago | parent [-]

Yes, of course. Any function with syntactic support will be more "ergonomic" than one without. But t-strings are for a relatively niche use case and can't even fully replace f-strings since they aren't actually strings. Even for input sanitizing they seem insufficient since you cant use them to create pre-compiled statements/templates.

▲ thayne 8 days ago | parent [-]

Preventing injection attacks in sql queries, html, etc. is a niche use case?

▲ bjourne 8 days ago | parent [-]

Yes. And it also relies on pre-compilation, which t-strings do not support.

▲ thayne 7 days ago | parent [-]

No, you don't need pre-compilation, assuming by pre-compilation you mean compiling a template that you pass values to later[1]

t-strings allow a library to perform transformations on the values, such as escaping them, or passing them as separate values to a parameterized query. Escaping html and parameterizing sql queries were the first two example use cases given in the PEP.

And I disagree that such use cases are niche. In my experience, needing to sanitize user input is an extremely common thing to need to do, and having the language and library make it as easy as possible to do it correctly is a very good thing.

[1]: I do wish they hadn't called these Templates, because it's not really a template so much as an intermediate representation of an interpolated value.

▲ bjourne 7 days ago | parent [-]

Yes, web is a niche. Outside of web there is simply no possibility of turning untrusted input into executable code so sanitation isn't needed. In web development you already have two dozen templating libraries that offer much more comprehensive safe and fast text-generation solutions than what t-strings do.

Pre-compilation means that you first compile the template, then you supply the template with values when you render it multiple times. This is not possible with t-strings since the values are bound when the t-string is created.

▲ thayne 5 days ago | parent [-]

Even if you accept that "web" is niche (which I don't), and all your input is trusted not to be malicious (which is not necessarily true for non-web applications, especially if they are privileged), you still need to worry about input with special characters causing bugs. Web apps don't have a monopoly on using a database, or generating strings in a specific syntax that includes user input.

With respect to compilation, that is basically is how t-strings work, but it is the python interpreter that does the compilation. When it parses the t-string, it compiles it to (byte) code to generate a Template object from from the expressions in scope when it is evaluated, which may happen more than once. And if you really want a template that is a separate object that is passed the values separately, you can just wrap a t-string in a function that takes the parameters as arguments.

> two dozen templating libraries that offer much more comprehensive safe and fast text-generation solutions than what t-strings do

But t-strings allow those libraries to be safer (users are less likely to accidentally interpolate values in an f-string, if a t-string is required) and possibly faster (since the python interpreter does the hard work of splitting up the string for you. t-strings don't replace those libraries, it allows them to be better.

▲ bjourne 5 days ago | parent [-]

In non-web contexts untrusted input is not interpolated into the executable streams so you don't worry about special characters. E.g., there is no point in "sanitizing" the name of a variable in a C compiler.

> And if you really want a template that is a separate object that is passed the values separately, you can just wrap a t-string in a function that takes the parameters as arguments.

No, you can't do that: "Template strings are evaluated eagerly from left to right, just like f-strings. This means that interpolations are evaluated immediately when the template string is processed, not deferred or wrapped in lambdas." Every function evaluation creates a new Template object, it does not reuse a precompiled one.

> and possibly faster

Possibly not, since precompilation is not supported.

	▲	thayne 5 days ago \| parent [-]
		> In non-web contexts untrusted input is not interpolated into the executable streams so you don't worry about special characters I don't know what you mean by `executable` streams, but besides databases as I've already mentioned, a common thing that shows up in non-web applications is invoking a shell command that includes a user-supplied file name as part of it. Currently doing so safely means you need to call `shlex.quote` or similar on the filename, but with t-strings you could have something like: `shell(t"some-command {filename} 2> somefile \| other-command")`. And that is just one specific example. There are other cases it might be useful as well, like say generating an XML configuration file from a template that includes user-supplied input. > No, you can't do that... Every function evaluation creates a new Template object, it does not reuse a precompiled one. The code that generates that Template object is pre-compiled though. If you define a function like: `def my_template(a, b,c): return t"a={a} b={b} c={c}"` When python parses that, it will generate bytecode equivalent to: `def my_template(a, b,c): return Template("a=", Interpolation(a, ...), " b=", Interpolation(b, ...), " c=", Interpolation(c,...))` yes, it does create a new `Template` object every time `my_template` is called, but it doesn't have to re-parse the template string each time, which is an improvement over existing APIs that do re-parse a template string every time it is used.