▲ | rowanG077 3 months ago | |||||||||||||
f-strings are not eval. It's not dynamic. It's simply an expression that is ran just like every other expression. | ||||||||||||||
▲ | bcoates 3 months ago | parent [-] | |||||||||||||
Right, and then if you do literally anything with the output other than print() to a tty, it’s an escaping/injection attack. any_func(f"{attacker_provided}") <=> eval(attacker_provided), from a security/correctness perspective | ||||||||||||||
|