Which are safe methods and practices for string formatting with user input in Python 3?

python security user-input string-formatting string-interpolation

Solution 1:

It doesn't matter which format you choose, any format and library can have its own downsides and vulnerabilities. The bigger questions you need to ask yourself is what is the risk factor and the scenario you are facing with, and what are you going to do about it. First ask yourself: will there be a scenario where a user or an external entity of some kind (for example - an external system) sends you a format string? If the answer is no, there is no risk. If the answer is yes, you need to see whether this is needed or not. If not - remove it to eliminate the risk. If you need it - you can perform whitelist-based input validation and exclude all format-specific special characters from the list of permitted characters, in order to eliminate the risk. For example, no format string can pass the ^[a-zA-Z0-9\s]*$ generic regular expression.

So the bottom line is: it doesn't matter which format string type you use, what's really important is what do you do with it and how can you reduce and eliminate the risk of it being tampered.

Related

cytoolz/dicttoolz.c:19:10: fatal error: Python.h: No such file or directory
How to Ignore specific file from Visual Studio Warnings Analyzer?
Console.WriteLine slow
Browser back button handling
Are compound literals Standard C++?
Self-closing tags (void elements) in HTML5
How do I change date time format in Android?
How do I get the subscribers of an event?
How to define <welcome-file-list> and <error-page> in servlet 3.0's web.xml-less?
Performance with global variables vs local
Get element by part of Name or ID
Logical AND, OR: Is left-to-right evaluation guaranteed?