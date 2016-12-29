format!("{argument}", argument = "test"); // => "test"
Python's approach is lame. It should have used something with a limited list of named arguments, or maybe a dict.
reply
This seems like a really serious misfeature. The kind that needs to be backed out of the release to prevent a security reputation fiasco.
Might as well write "be careful about eval of arbitrary user provided strings".
Although if you are using templates in Python, you are likely using jinja2. And they just "fixed" the bug. So you are good to go if your upgrade.
Don't let users run untrusted code. Full stop.
If you need templating use a sandbox like jinja2.
This is a great power, but also can become an unlimited source of bugs.
Python's approach is lame. It should have used something with a limited list of named arguments, or maybe a dict.
reply