undefined | Better HN

0 pointsratorx11mo ago0 comments

I’m not sure you understood my example. The f-string is within a function. The function argument only accepts sanitised input type.

If you create a subclass of str which has an init function that sanitises, then you can’t create a Sanitised type by casting right?

And even if you could, there is also nothing stopping you from using a different function to “html” that just returns the string without sanitising. They are on the same relative level of safety.

0 comments

itishappy11mo ago

Oh, I'm pretty sure I didn't understand your example and am probably missing something obvious. That's why I'm here asking dumb questions!

I think I'm following more, and I see how you can accomplish this by encapsulating the rendering, but I'm still not seeing how this is possible with user facing f-strings. Think you can write up a quick example?

ratorxOP11mo ago

Added example to parent comment.

itishappy11mo ago

Thanks mate! (BTW: Indenting code with four spaces makes HN format it like code.)

So the thing I'm still not getting from your example is allowing the template itself to be customized.

   evil = "<script>alert('evil')</script>"
   template1 = t"<p>{evil}</p>"
   template2 = t"<h1>{evil}</h1>"
   html(template1)
   html(template2)

1 more reply

j / k navigate · click thread line to collapse

0 pointsratorx11mo ago0 comments

I’m not sure you understood my example. The f-string is within a function. The function argument only accepts sanitised input type.

If you create a subclass of str which has an init function that sanitises, then you can’t create a Sanitised type by casting right?

And even if you could, there is also nothing stopping you from using a different function to “html” that just returns the string without sanitising. They are on the same relative level of safety.

0 comments

itishappy11mo ago

Oh, I'm pretty sure I didn't understand your example and am probably missing something obvious. That's why I'm here asking dumb questions!

ratorxOP11mo ago

Added example to parent comment.

itishappy11mo ago

Thanks mate! (BTW: Indenting code with four spaces makes HN format it like code.)

So the thing I'm still not getting from your example is allowing the template itself to be customized.

   evil = "<script>alert('evil')</script>"
   template1 = t"<p>{evil}</p>"
   template2 = t"<h1>{evil}</h1>"
   html(template1)
   html(template2)

1 more reply

j / k navigate · click thread line to collapse