| ▲ | bjourne 5 days ago | |
In non-web contexts untrusted input is not interpolated into the executable streams so you don't worry about special characters. E.g., there is no point in "sanitizing" the name of a variable in a C compiler. > And if you really want a template that is a separate object that is passed the values separately, you can just wrap a t-string in a function that takes the parameters as arguments. No, you can't do that: "Template strings are evaluated eagerly from left to right, just like f-strings. This means that interpolations are evaluated immediately when the template string is processed, not deferred or wrapped in lambdas." Every function evaluation creates a new Template object, it does not reuse a precompiled one. > and possibly faster Possibly not, since precompilation is not supported. | ||
| ▲ | thayne 5 days ago | parent [-] | |
> In non-web contexts untrusted input is not interpolated into the executable streams so you don't worry about special characters I don't know what you mean by `executable` streams, but besides databases as I've already mentioned, a common thing that shows up in non-web applications is invoking a shell command that includes a user-supplied file name as part of it. Currently doing so safely means you need to call `shlex.quote` or similar on the filename, but with t-strings you could have something like: `shell(t"some-command {filename} 2> somefile | other-command")`. And that is just one specific example. There are other cases it might be useful as well, like say generating an XML configuration file from a template that includes user-supplied input. > No, you can't do that... Every function evaluation creates a new Template object, it does not reuse a precompiled one. The code that generates that Template object is pre-compiled though. If you define a function like: | ||