On Wed, Apr 6, 2016 at 11:43 AM, Steven D'Aprano <st...@pearwood.info> wrote: > Look at what you've done: you've restricted the entire world of Python down > to, effectively, a calculator and a few string methods. That's not to say > that a calculator and a few string methods won't be useful to someone, but > the next Javascript it is not...
It most certainly is useful. Want a calculator? Restrict the character set to "0123456789+-/*() " (or if you prefer: ensure that it matches "^[-+/*0-9 ()]*$") and then eval it. AFAIK you can't attack anything with just those characters (again, aside from DOSing by ridiculous exponentiation). Plenty of places I've used that kind of thing, but yeah, the next JS it is not. ChrisA -- https://mail.python.org/mailman/listinfo/python-list
