f-strings are not eval. It's not dynamic. It's simply an expression that is ran just like every other expression.

Right, and then if you do literally anything with the output other than print() to a tty, it’s an escaping/injection attack.

any_func(f"{attacker_provided}") <=> eval(attacker_provided), from a security/correctness perspective

	▲	rowanG077 2 months ago \| parent \| next [-]
		Shooting any unsanitized input into your application is bad. template strings don't make this worse. any_func(attacker_provided) is even worse then any_func(t"{attacker_provided}") since in the later case you actually have reduced the attack surface to just strings.
	▲	saagarjha 3 months ago \| parent \| prev [-]
		How is this any different from any_func(attacker_provided)