Perl 6 strings, interpolation and templates?

BerntB has asked for the wisdom of the Perl Monks concerning the following question:

I thought it is high time to ask my first Perl 6 question on PerlMonks, so... :-)

On http://planet.perl.org, Gabor Szabo is posting introductory material on Perl 6, here is a post about strings in Perl 6. I must be missing something? One of the examples are:

   say "Hello { join(', ', @names) } how are you?";
[download]

Evaluating code in strings seems ripe for exploitation by any form of templating code which reads strings from files to print them? Is this handled with some kind of tainting functionality in Perl 6?

(There is similar evaluation of code in Perl 5's regexps, but they have security handling for just this.)

Comment on Perl 6 strings, interpolation and templates? Download Code

Replies are listed 'Best First'.
Re: Perl 6 strings, interpolation and templates? by ikegami (Patriarch) on Mar 15, 2009 at 00:33 UTC
You can already do that in Perl 5: `say "Hello @{[ join(', ', @names) ]} how are you?";` [download] There's no security issue because it's not `say` that causes the interpolation, it's the string literal. And it's no more possible for someone to provide a string literal as they could provide a for loop. `use strict; use warnings; use 5.010; my @names = qw( ikegami ); say "Hello @{[ join(', ', @names) ]} how are you?"; my $user_input = q{Hello @{[ join(', ', @names) ]} how are you?}; say $user_input;` [download] `Hello ikegami how are you? Hello @{[ join(', ', @names) ]} how are you?` [download]	[reply] [d/l] [select]
Re^2: Perl 6 strings, interpolation and templates? by BerntB (Deacon) on Mar 15, 2009 at 00:46 UTC
Ah yes, 5.10... version limitations at work means that I've not read the perldoc for it yet. :-( Thanks. Sorry for stupid q.	[reply]
Re^3: Perl 6 strings, interpolation and templates? by almut (Canon) on Mar 15, 2009 at 01:03 UTC
It's just the `say` that's 5.10 specific here... the interpolation mechanism already worked like this before... (This is just array interpolation with an anonymous array — in between the `[...]` can go arbitrary code.)	[reply] [d/l] [select]
Re^4: Perl 6 strings, interpolation and templates? by BerntB (Deacon) on Mar 15, 2009 at 01:08 UTC
Re: Perl 6 strings, interpolation and templates? by moritz (Cardinal) on Mar 15, 2009 at 18:14 UTC
Evaluating code in strings seems ripe for exploitation by any form of templating code which reads strings from files to print them? No, the interpolation only happens when you `eval` the string, not when you read it.	[reply] [d/l]
Re^2: Perl 6 strings, interpolation and templates? by BerntB (Deacon) on Mar 16, 2009 at 11:59 UTC
Thanks, but I wrote a stupid question, but not that stupid. :-)	[reply]