Remix.run Logo
bcoates 3 months ago

Right, and then if you do literally anything with the output other than print() to a tty, it’s an escaping/injection attack.

any_func(f"{attacker_provided}") <=> eval(attacker_provided), from a security/correctness perspective

rowanG077 2 months ago | parent | next [-]

Shooting any unsanitized input into your application is bad. template strings don't make this worse. any_func(attacker_provided) is even worse then any_func(t"{attacker_provided}") since in the later case you actually have reduced the attack surface to just strings.

saagarjha 3 months ago | parent | prev [-]

How is this any different from any_func(attacker_provided)