←back to thread

Python’s new t-strings

(davepeck.org)
620 points tambourine_man | 1 comments | 21 Apr 25 04:31 UTC | HN request time: 0.263s | source
Show context
mounir9912 ◴[21 Apr 25 16:01 UTC] No.43753471[source]
What I really don't get is how it's any different than applying whatever function you would apply to the template, on the f-string variables. So instead of:

   evil = "<script>alert('bad')</script>"
   template = t"{evil}"
   safe = html(template)
Why not just:

    evil = "<script>alert('bad')</script>"
    safe = f"{html(evil)}"
Or even before creating the f-string. Is it just about not forgetting the sanitization/string manipulation part and forcing you to go through that?
replies(2): >>43753514 #>>43757122 #
1. zahlman ◴[21 Apr 25 22:17 UTC] No.43757122[source]
> Is it just about not forgetting the sanitization/string manipulation part and forcing you to go through that?

This is a very big deal! It's also about centralizing that work. Now that sanitization can occur in the consumer of the t-string (for example, the API to your HTML renderer), rather than in every f-string.