Post #265

http://lucumr.pocoo.org/2016/12/29/careful-with-str-format/ #security This should have been obvious to me for a longer time, but until earlier today I did not really realize the severity of the issues caused by str.format on untrusted user input. It came up as a way to bypass the Jinja2 Sandbox in a way that would permit retrieving information that you should not have access to which is why I just pushed out a security release for it. However I think the general issue is quite severe and needs to be a discussed because most people are most likely not aware of how easy it is to exploit.