Remix clone Hacker News

No, it's exactly the opposite--f-strings are, roughly, eval (that is, unsanitary string concatenation that is presumptively an error in any nontrivial use) to t-strings which are just an alternative expression syntax, and do not even dereference their arguments.

▲

rowanG077 7 days ago | parent [-]

f-strings are not eval. It's not dynamic. It's simply an expression that is ran just like every other expression.

▲

bcoates 6 days ago | parent [-]

Right, and then if you do literally anything with the output other than print() to a tty, it’s an escaping/injection attack.

any_func(f"{attacker_provided}") <=> eval(attacker_provided), from a security/correctness perspective

	▲	saagarjha 4 days ago \| parent [-]
		How is this any different from any_func(attacker_provided)