Be Careful with Python’s New-Style String Format

This should have been obvious to me for a longer time, but until earlier
today I did not really realize the severity of the issues caused by
str.format on untrusted user input. It came up as a way to bypass the
Jinja2 Sandbox in a way that would permit r…

Similar

My favorite terrible Python error message

Students in my Python classes occasionally get the following error message: TypeError: object() takes no parameters This error message is technically true, as I’ll explain in a moment. But it’s surprising and confusing for people who are new to Python, be... (more…)

Read more »