Introducing t-strings in Python 3.14: A Safer, Flexible Alternative to f-strings
The article explains the upcoming Python 3.14 t-strings feature, describing how it generalizes f-strings into a Template type that improves security against injection attacks, demonstrates usage with code examples, and discusses its flexibility, future ecosystem support, and practical applications.
After the popularity of f-strings introduced in Python 3.6, their misuse can lead to security problems such as SQL injection and XSS; Python 3.14 will add t-strings (template strings) as a safer, more flexible alternative, expected in late 2025.
What are t-strings? t-strings are a generalized form of f-strings that create a string.templatelib.Template object instead of an immediate string. The Template type lacks a __str__() method, so developers must process the object (e.g., via an html() function) before rendering, allowing safe escaping of dynamic content.
Example of building a safe HTML element:
<code>from string.templatelib import Template
evil = "<script>alert('bad')</script>"
template = t"<p>{evil}</p>"
safe_html = html(template) # Returns escaped HTML, preventing XSS</code>Flexibility of t-strings extends beyond security; they support complex interpolations such as attribute dictionaries:
<code>attributes = {"src": "roquefort.jpg", "alt": "Yum"}
template = t"<img {attributes} />"
element = html(template) # Produces a complete <img> tag</code>For developers familiar with JavaScript, t-strings resemble tag templates, offering a comparable way to embed expressions within markup.
How to use t-strings? The Template object provides .strings and .values tuples, can be iterated, and exposes detailed interpolation metadata ( .interpolations with value , expression , conversion , format_spec ).
<code>name = "World"
template = t"Hello {name}!"
print(template.strings) # ('Hello ', '!')
print(template.values) # ('World',)
for item in template:
print(item)
</code>Templates can also be instantiated directly:
<code>from string.templatelib import Template, Interpolation
template = Template("Hello ", Interpolation(value="World", expression="name"), "!")</code>Sample application – converting template content to pig Latin demonstrates the power of processing each interpolation:
<code>def pig_latin(template: Template) -> str:
"""Convert a Template to pig Latin"""
result = []
for item in template:
if isinstance(item, str):
result.append(item)
else:
word = item.value
if word and word[0] in "aeiou":
result.append(word + "yay")
else:
result.append(word[1:] + word[0] + "ay")
return "".join(result)
name = "world"
template = t"Hello {name}!"
print(pig_latin(template)) # Output: Hello orldway!</code>The article concludes with a forward‑looking view: t-strings are expected to become widely adopted in libraries and frameworks, especially for handling user input, and tooling such as black , ruff , and VS Code should evolve to support them. The feature is driven by PEP 750 contributors including Dave Peck, Jim, Paul, Koudai, Lysandros, and Guido.
Python Programming Learning Circle
A global community of Chinese Python developers offering technical articles, columns, original video tutorials, and problem sets. Topics include web full‑stack development, web scraping, data analysis, natural language processing, image processing, machine learning, automated testing, DevOps automation, and big data.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.