| ▲ | rowanG077 7 days ago | |||||||
f-strings are not eval. It's not dynamic. It's simply an expression that is ran just like every other expression. | ||||||||
| ▲ | bcoates 6 days ago | parent [-] | |||||||
Right, and then if you do literally anything with the output other than print() to a tty, it’s an escaping/injection attack. any_func(f"{attacker_provided}") <=> eval(attacker_provided), from a security/correctness perspective | ||||||||
| ||||||||