interpolation proposals and safety

[kdevel]

On Thursday, 29 August 2024 at 14:21:24 UTC, Steven Schveighoffer 
wrote:
> On Thursday, 22 August 2024 at 19:34:32 UTC, kdevel wrote:
>> `writeln` should not print unadorned interpolated string 
>> expressions.
>
> I find this argument unconvincing.
>
> You can print anything with `writeln`. [...]

Not really, e.g. in the case of an object the class name will be 
printed instead of the potentially dangerous content:

```
import std.stdio;

class C {
    string s;
    this (string s)
    {
       this.s = s;
    }
}

void main ()
{
    auto c = new C ("<script>alert(-1)</script>");
    writeln (c);
}
```

```
$ dmd classprint.d
$ ./classprint
classprint.C
```

In a superior implementation of write(ln) this would simply also 
not compile. I mean there is a difference between printing the 
data payload to the output channel and OTOH dumping debug 
information to the developer.

> The point of making IES play nice with `writeln` is that it is 
> a major expectation of any kind of interpolation setup. People 
> just expect to log interpolated sequences that have their stuff 
> in it.

I don't know if you noticed your own wording: We are expecting to 
"log" IES data but not to "print" them to the output channel.

> [SQL]
>
> Basically, you found just a very narrow example that is 
> unlikely to exist, but indeed might be confusing if an exact 
> series of mistakes are made. Even without IES, a user is 
> equally likely to use `writef` to make the same mistake.

With post-1036e D the user has now three equally potent ways to 
shoot theirself in the foot:

1.
```
      data = "alert (-1)";
      writeln ("<script>" ~ data ~ "</script>");
```

2.
```
      data = "alert (-1)";
      writeln (format!"<script>%s</script>" (data));
```

3.
```
      data = "alert (-1)";
      writeln (i"<script>$(data)</script>");
```