| ▲ | bcoates 3 months ago |
| No, it's exactly the opposite--f-strings are, roughly, eval (that is, unsanitary string concatenation that is presumptively an error in any nontrivial use) to t-strings which are just an alternative expression syntax, and do not even dereference their arguments. |
|
| ▲ | rowanG077 3 months ago | parent [-] |
| f-strings are not eval. It's not dynamic. It's simply an expression that is ran just like every other expression. |
| |
| ▲ | bcoates 3 months ago | parent [-] | | Right, and then if you do literally anything with the output other than print() to a tty, it’s an escaping/injection attack. any_func(f"{attacker_provided}") <=> eval(attacker_provided), from a security/correctness perspective | | |
| ▲ | rowanG077 2 months ago | parent | next [-] | | Shooting any unsanitized input into your application is bad. template strings don't make this worse. any_func(attacker_provided) is even worse then any_func(t"{attacker_provided}") since in the later case you actually have reduced the attack surface to just strings. | |
| ▲ | saagarjha 3 months ago | parent | prev [-] | | How is this any different from any_func(attacker_provided) |
|
|
