How To Use Lazy Annotations in Python 3.14

Intermediate

Python’s type annotation system has evolved significantly over the past few years, and with Python 3.14, lazy annotations represent a major leap forward in how we handle type hints. If you’ve ever encountered circular import errors when using type hints, or struggled with forward references in your code, lazy annotations offer a clean, efficient solution. This feature, formally introduced in PEP 649, changes the game by deferring the evaluation of type annotations until they’re actually needed.

Don’t worry if you’re not deeply familiar with Python’s type system yet. Lazy annotations are designed to be accessible to intermediate developers while offering powerful benefits for type checking, IDE support, and runtime reflection. Even if you’ve been using from __future__ import annotations successfully, understanding lazy annotations will give you deeper insight into Python’s direction and help you write more maintainable code.

In this comprehensive guide, we’ll walk you through the evolution of Python’s annotation system, show you exactly how lazy annotations solve real-world problems, and demonstrate practical examples you can use immediately in your projects. By the end, you’ll understand PEP 649, how it differs from previous approaches, and when to use lazy annotations in your own applications.

Quick Example: The Forward Reference Problem

Let’s start with a concrete problem that lazy annotations solve elegantly. Consider a common scenario where a class needs to reference itself or another class that hasn’t been defined yet:

# File: old_approach.py
from typing import Optional

class Node:
    def __init__(self, value: int, next_node: Optional['Node'] = None):
        self.value = value
        self.next_node = next_node

Output:

Node(value=1, next_node=None)

Notice the string quotes around 'Node'? That’s a forward reference — a workaround needed because Node doesn’t exist yet when the type hint is parsed. With lazy annotations, you can write it naturally:

# File: new_approach.py
from __future__ import annotations
from typing import Optional

class Node:
    def __init__(self, value: int, next_node: Optional[Node] = None):
        self.value = value
        self.next_node = next_node

Output:

Node(value=42, next_node=Node(value=7, next_node=None))

Python 3.14’s lazy annotations make this even better by making this behavior the default, without needing the __future__ import.

What Are Lazy Annotations?

Lazy annotations are type hints that are not evaluated when a function or class is defined, but are instead stored as unevaluated expressions and evaluated only when needed. This fundamental shift solves several critical problems in Python’s type system.

Here’s a quick comparison of how Python’s annotation system has evolved:

Understanding the Forward Reference Problem

Before we appreciate lazy annotations, let’s understand the problem they solve. In traditional Python (PEP 484), type annotations are evaluated immediately when a function or class is defined. This creates issues when you reference types that don’t exist yet.

# File: circular_import_problem.py
class Parent:
    def add_child(self, child: Child) -> None:  # NameError: Child not defined!
        self.children.append(child)

class Child:
    def __init__(self, name: str):
        self.name = name

Output:

NameError: name 'Child' is not defined

The traditional solutions were clunky:

# File: workaround_string_quotes.py
from typing import Optional

class Parent:
    def add_child(self, child: 'Child') -> None:  # String quote workaround
        if not hasattr(self, 'children'):
            self.children = []
        self.children.append(child)

class Child:
    def __init__(self, name: str):
        self.name = name

Output:

parent = Parent()
parent.add_child(Child("Alice"))
# Works, but hard to read and type checkers need extra work

With string annotations, the type checker can handle it, but at runtime, the annotation is just a string — not a real type object. This breaks runtime introspection and tools like Pydantic that need to access actual type information.

How Lazy Annotations Work Under the Hood

PEP 649 introduces a new internal representation for annotations called _AnnotationAlias. Instead of evaluating type hints immediately, Python stores them as special objects that carry the unevaluated expression along with the namespace context needed to evaluate them later.

# File: lazy_annotation_internals.py
import inspect
from typing import get_type_hints

class TreeNode:
    def add_left(self, node: 'TreeNode') -> None:
        self.left = node

    def add_right(self, node: 'TreeNode') -> None:
        self.right = node

# Access raw annotations (unevaluated)
print("Raw annotations:", TreeNode.add_left.__annotations__)
# Output: {'node': , 'return': None}

# Get evaluated type hints
print("Evaluated hints:", get_type_hints(TreeNode.add_left))
# Output: {'node': , 'return': }

Output:

Raw annotations: {'node': _AnnotationAlias(...), 'return': None}
Evaluated hints: {'node': , 'return': }

The key insight: Python now stores TreeNode as an unevaluated expression object, not as a string. The expression is evaluated only when get_type_hints() is called. This gives us the best of both worlds:

• Natural syntax: No string quotes needed
• Performance: No upfront cost to evaluate complex types
• Runtime introspection: Actual type objects when you need them
• Circular imports: Resolved because evaluation is deferred

Using get_type_hints() vs __annotations__

Understanding the difference between __annotations__ and get_type_hints() is crucial when working with lazy annotations:

# File: annotations_vs_hints.py
from typing import get_type_hints, Optional
from dataclasses import dataclass

@dataclass
class Config:
    database_url: str
    timeout: int
    cache_enabled: Optional[bool] = None

# Direct access to raw annotations
print("__annotations__:", Config.__annotations__)

# Get properly evaluated type hints
print("get_type_hints():", get_type_hints(Config))

# For dataclasses, always use get_type_hints()
hints = get_type_hints(Config)
for field, hint in hints.items():
    print(f"{field}: {hint}")

Output:

__annotations__: {'database_url': , 'timeout': , 'cache_enabled': }

get_type_hints(): {
    'database_url': ,
    'timeout': ,
    'cache_enabled': Union[bool, None]
}

database_url: 
timeout: 
cache_enabled: typing.Union[bool, NoneType]

Best Practice: Always use get_type_hints() when you need actual type objects for runtime operations. Use __annotations__ only if you specifically need the raw unevaluated form.

Impact on Dataclasses, Pydantic, and Runtime Type Checking

Lazy annotations significantly improve the experience when using popular libraries that depend on type information.

Dataclasses and Lazy Annotations

# File: dataclass_lazy_example.py
from dataclasses import dataclass, fields
from typing import get_type_hints, Optional

@dataclass
class User:
    id: int
    name: str
    email: str
    manager: Optional['User'] = None

# Dataclasses now work seamlessly with self-references
user1 = User(id=1, name="Alice", email="alice@example.com")
user2 = User(id=2, name="Bob", email="bob@example.com", manager=user1)

# Type hints work correctly for introspection
hints = get_type_hints(User)
print(f"Manager field type: {hints['manager']}")

# Fields still work perfectly
for field in fields(User):
    print(f"{field.name}: {field.type}")

Output:

Manager field type: typing.Union[User, NoneType]

id: 
name: 
email: 
manager: typing.Union[User, NoneType]

Pydantic Model Validation

# File: pydantic_lazy_example.py
from pydantic import BaseModel
from typing import Optional

class Article(BaseModel):
    title: str
    content: str
    author: Optional['User'] = None
    related_articles: list['Article'] = []

class User(BaseModel):
    username: str
    email: str
    articles: list[Article] = []

# Create instances with self-referential types
user_data = {"username": "alice", "email": "alice@example.com"}
article_data = {
    "title": "Python Type Hints",
    "content": "...",
    "author": user_data
}

article = Article(**article_data)
print(f"Article by: {article.author.username}")

Output:

Article by: alice

Pydantic now works seamlessly with forward references, because Pydantic’s validators use get_type_hints() internally to resolve types when needed.

Runtime Type Checking

# File: runtime_type_checking.py
from typing import get_type_hints

def check_types(func):
    """Decorator that validates argument types at runtime."""
    hints = get_type_hints(func)

    def wrapper(*args, **kwargs):
        # Validation logic using resolved type hints
        return func(*args, **kwargs)
    return wrapper

@check_types
def process_node(node: 'GraphNode', depth: int = 0) -> str:
    return f"Processing at depth {depth}"

class GraphNode:
    def __init__(self, value):
        self.value = value

node = GraphNode("test")
result = process_node(node, depth=2)
print(result)

Output:

Processing at depth 2

Migration Guide from `from __future__ import annotations`

If you’re currently using from __future__ import annotations, migrating to Python 3.14’s native lazy annotations is straightforward:

Step 1: Update to Python 3.14+

# File: check_version.py
import sys
print(f"Python version: {sys.version}")
# Requires Python 3.14 or later for native lazy annotations

Output:

Python version: 3.14.0 (...)

Step 2: Remove the __future__ Import

# File: before_migration.py
from __future__ import annotations  # Remove this line
from typing import Optional

class LinkedList:
    def __init__(self, value: int, next: Optional[LinkedList] = None):
        self.value = value
        self.next = next

# File: after_migration.py
from typing import Optional

class LinkedList:
    def __init__(self, value: int, next: Optional[LinkedList] = None):
        self.value = value
        self.next = next

Output:

# Behavior is identical, code is cleaner

Step 3: Update Code That Accesses __annotations__

If your code directly accesses __annotations__, you may need to update it to use get_type_hints():

# File: update_annotations_access.py
from typing import get_type_hints

class MyClass:
    x: int
    y: str

# Old way (may get unevaluated objects in 3.14)
# annotations_dict = MyClass.__annotations__  # Don't do this

# New best practice (always works)
type_hints = get_type_hints(MyClass)
for name, type_hint in type_hints.items():
    print(f"{name}: {type_hint}")

Output:

x: 
y: 

Real-World Example: Plugin System with Runtime Annotations

Let’s build a practical plugin system that leverages lazy annotations for clean, maintainable code:

# File: plugin_system.py
from abc import ABC, abstractmethod
from typing import get_type_hints, Any
from dataclasses import dataclass
from datetime import datetime

@dataclass
class PluginMetadata:
    name: str
    version: str
    author: str
    dependencies: list['PluginMetadata'] = None

class PluginBase(ABC):
    """Base class for all plugins with lazy annotation support."""

    metadata: PluginMetadata

    @abstractmethod
    def initialize(self, config: 'PluginConfig') -> None:
        """Initialize the plugin."""
        pass

    @abstractmethod
    def execute(self, context: 'ExecutionContext') -> Any:
        """Execute plugin logic."""
        pass

@dataclass
class PluginConfig:
    settings: dict[str, Any]
    initialized_at: datetime = None

@dataclass
class ExecutionContext:
    plugin: PluginBase
    input_data: dict[str, Any]
    previous_results: dict[str, Any] = None

class LoggingPlugin(PluginBase):
    """Example plugin that logs execution."""

    metadata = PluginMetadata(
        name="Logger",
        version="1.0",
        author="DevTeam"
    )

    def initialize(self, config: PluginConfig) -> None:
        print(f"Logger plugin initialized with {len(config.settings)} settings")

    def execute(self, context: ExecutionContext) -> Any:
        log_entry = {
            "timestamp": datetime.now(),
            "plugin": self.metadata.name,
            "data": context.input_data
        }
        return log_entry

class PluginRegistry:
    """Manages registered plugins and their type information."""

    def __init__(self):
        self.plugins: dict[str, PluginBase] = {}

    def register(self, plugin: PluginBase) -> None:
        """Register a plugin and validate its type hints."""
        # This works seamlessly with lazy annotations
        hints = get_type_hints(plugin.execute)
        print(f"Registering {plugin.metadata.name} with hints: {hints}")
        self.plugins[plugin.metadata.name] = plugin

    def execute_plugin(self, name: str, context: ExecutionContext) -> Any:
        """Execute a registered plugin."""
        if name not in self.plugins:
            raise ValueError(f"Unknown plugin: {name}")
        return self.plugins[name].execute(context)

# Usage
if __name__ == "__main__":
    registry = PluginRegistry()
    logger = LoggingPlugin()

    registry.register(logger)

    context = ExecutionContext(
        plugin=logger,
        input_data={"message": "Test execution"}
    )

    result = registry.execute_plugin("Logger", context)
    print(f"Execution result: {result}")

Output:

Registering Logger with hints: {'context': , 'return': typing.Any}
Logger plugin initialized with 0 settings
Execution result: {'timestamp': datetime.datetime(...), 'plugin': 'Logger', 'data': {'message': 'Test execution'}}

Frequently Asked Questions

Will lazy annotations break my existing code?

No. Lazy annotations are backward compatible. Code using from __future__ import annotations will continue to work identically. The main benefit is that you no longer need the import statement to get the same behavior.

Do type checkers support lazy annotations?

Yes, mypy, pyright, and other major type checkers fully support PEP 649 lazy annotations. Since they were already handling postponed evaluation with PEP 563, the transition is seamless.

What’s the performance impact of lazy annotations?

Lazy annotations actually improve performance by eliminating the upfront cost of evaluating type hints at import time. The only cost comes when you call get_type_hints(), which happens on demand.

When should I access raw unevaluated annotations?

Rarely. Most use cases should call get_type_hints(). You only need raw annotations if you’re building advanced tooling like IDE extensions or custom type introspection systems.

Will third-party libraries like Pydantic work correctly?

Yes. Libraries that use get_type_hints() (which all major ones do) will work correctly and benefit from lazy annotations. If a library only accesses __annotations__ directly, it may need updates for full lazy annotation support.

Conclusion

Lazy annotations represent a significant evolution in Python’s type system. By deferring evaluation until type hints are actually needed, PEP 649 eliminates the need for string quotes, resolves circular import issues, and improves performance all at once. Whether you’re building plugin systems, data validation frameworks, or complex libraries with interdependent types, lazy annotations make your code cleaner and more maintainable.

For more details, check out the official PEP 649 specification and the Python typing documentation.

Related Articles

• Type Hints in Python: A Complete Guide
• Using Pydantic for Data Validation
• Python Dataclasses: Simplify Your Code
• Solving Circular Import Problems
• Static Type Checking with Mypy

Intermediate

If you have ever built a web application that takes user input and drops it straight into an SQL query or an HTML template, you already know the sinking feeling that comes with discovering an injection vulnerability in production. Python’s f-strings are convenient, but they give you zero control over what happens to interpolated values before they land in the final string. You format it, it is done — no sanitization, no escaping, no second chances.

Python 3.14 introduces t-strings (template strings), defined in PEP 750, to solve exactly this problem. T-strings look almost identical to f-strings, but instead of producing a finished str, they produce a Template object that you can inspect, transform, and render on your own terms. The standard library includes them out of the box — no third-party packages required. You just need Python 3.14 or later.

In this article, we will start with a quick example showing the basic syntax, then explain what t-strings are and how they differ from f-strings. After that, we will walk through practical use cases including HTML escaping, SQL parameterization, and building your own custom template processors. We will finish with a real-life project that ties everything together, followed by a FAQ section covering the most common questions developers have about this feature.

T-Strings in Python: Quick Example

Here is the simplest possible t-string. Notice the t prefix instead of f:

# quick_example.py
from templatelib import Template, Interpolation

name = "World"
greeting = t"Hello, {name}!"

# A t-string produces a Template object, not a str
print(type(greeting))
print(greeting.strings)
print(greeting.interpolations)

# Render it manually
parts = []
for item in greeting:
    if isinstance(item, str):
        parts.append(item)
    elif isinstance(item, Interpolation):
        parts.append(str(item.value))
print("".join(parts))

Output:

<class 'templatelib.Template'>
('Hello, ', '!')
(Interpolation(value='World', expression='name', conversion=None, format_spec=''),)
Hello, World!

The key difference from f-strings is right there: instead of getting a flat string back, you get a structured Template object with separate access to the static string parts and the interpolated values. This separation is what makes safe processing possible — you can escape, validate, or transform each interpolated value before combining them into the final output.

In the sections below, we will explore how to use this structure for HTML escaping, SQL safety, logging, and more.

What Are T-Strings and Why Use Them?

T-strings are a new string prefix introduced in Python 3.14 through PEP 750. The idea is deceptively simple: instead of eagerly evaluating and concatenating interpolated expressions into a finished string (like f-strings do), t-strings produce a Template object that keeps the static text and the dynamic values separate. You then decide how to combine them.

Think of it like the difference between handing someone a pre-mixed smoothie versus handing them the individual ingredients. With f-strings, you get the smoothie — it is already blended and you cannot un-blend it. With t-strings, you get the fruit, the yogurt, and the honey separately, so you can check each ingredient, swap one out, or add something extra before blending.

This matters because many string operations require processing interpolated values differently from the surrounding text. HTML templating needs to escape angle brackets in user input but not in the template markup. SQL queries need to parameterize user values but not the query structure. Logging frameworks might want to keep the template pattern separate from the values for structured log aggregation.

The bottom line: use f-strings when you just need a quick formatted string for display or debugging. Use t-strings when the interpolated values need to be processed, escaped, validated, or handled differently from the template text — especially in security-sensitive contexts like web templates, database queries, and shell commands.

Anatomy of a Template Object

Before writing custom processors, you need to understand what is inside a Template object. Let us inspect one in detail:

# template_anatomy.py
from templatelib import Template, Interpolation

user = "Alice"
score = 95.7
result = t"Player {user} scored {score:.1f} points"

# The Template has two key attributes
print("strings:", result.strings)
print("interpolations:", result.interpolations)
print()

# Each Interpolation carries metadata
for interp in result.interpolations:
    print(f"  value: {interp.value!r}")
    print(f"  expression: {interp.expression!r}")
    print(f"  conversion: {interp.conversion!r}")
    print(f"  format_spec: {interp.format_spec!r}")
    print()

Output:

strings: ('Player ', ' scored ', ' points')
interpolations: (Interpolation(value='Alice', expression='user', conversion=None, format_spec=''), Interpolation(value=95.7, expression='score', conversion=None, format_spec='.1f'))

  value: 'Alice'
  expression: 'user'
  conversion: None
  format_spec: ''

  value: 95.7
  expression: 'score'
  conversion: None
  format_spec: '.1f'

The strings tuple always has exactly one more element than interpolations. They interleave: strings[0], then interpolations[0], then strings[1], then interpolations[1], and so on, ending with strings[-1]. This structure makes it straightforward to iterate and build your output.

Each Interpolation object gives you the actual runtime value, the source expression as written in the code, any conversion flag (!r, !s, !a), and the format_spec string. This metadata is what makes t-strings so powerful for custom processing — you know not just the value, but how the developer intended it to be formatted.

Safe HTML Escaping with T-Strings

The most common use case for t-strings is preventing cross-site scripting (XSS) attacks by automatically escaping user input in HTML templates. Here is a reusable HTML renderer:

# html_escape.py
from templatelib import Template, Interpolation
import html

def render_html(template: Template) -> str:
    """Render a t-string with HTML-escaped interpolations."""
    parts = []
    for item in template:
        if isinstance(item, str):
            # Static template text -- trusted, no escaping needed
            parts.append(item)
        elif isinstance(item, Interpolation):
            # Dynamic value -- escape to prevent XSS
            parts.append(html.escape(str(item.value)))
    return "".join(parts)

# Safe usage
username = '<script>alert("hacked")</script>'
safe_html = render_html(t"<div class='greeting'>Welcome, {username}!</div>")
print(safe_html)

Output:

<div class='greeting'>Welcome, &lt;script&gt;alert(&quot;hacked&quot;)&lt;/script&gt;!</div>

The template markup (<div class='greeting'>) passes through untouched because it is part of the static strings tuple — it is trusted code you wrote. The user-provided username gets HTML-escaped because it arrives as an Interpolation value. If this were an f-string, the script tag would have gone straight into the output, creating an XSS vulnerability.

SQL Parameterization with T-Strings

Another critical use case is building SQL queries safely. Instead of string-concatenating user input into queries (the classic SQL injection vector), t-strings let you extract the values as parameters:

# sql_params.py
from templatelib import Template, Interpolation

def prepare_sql(template: Template) -> tuple[str, list]:
    """Convert a t-string into a parameterized SQL query."""
    query_parts = []
    params = []
    for item in template:
        if isinstance(item, str):
            query_parts.append(item)
        elif isinstance(item, Interpolation):
            query_parts.append("?")  # Parameter placeholder
            params.append(item.value)
    return "".join(query_parts), params

# Usage
user_id = 42
status = "active'; DROP TABLE users; --"

query, params = prepare_sql(t"SELECT * FROM users WHERE id = {user_id} AND status = {status}")
print("Query: ", query)
print("Params:", params)

Output:

Query:  SELECT * FROM users WHERE id = ? AND status = ?
Params: [42, "active'; DROP TABLE users; --"]

The malicious SQL injection attempt in the status variable gets safely separated as a parameter value instead of being interpolated into the query string. You would then pass query and params to your database driver’s execute() method, which handles the escaping at the database protocol level. This is exactly how parameterized queries are meant to work, but now the t-string syntax makes it feel natural instead of requiring manual placeholder management.

Building Custom Template Processors

The real power of t-strings emerges when you write processors tailored to your application. Here are two practical examples.

Structured Logging Processor

Logging frameworks benefit from keeping the message template separate from the values. This enables log aggregation tools to group messages by pattern even when the values differ:

# structured_log.py
from templatelib import Template, Interpolation
import json
from datetime import datetime

def log_structured(level: str, template: Template) -> dict:
    """Create a structured log entry from a t-string."""
    # Build the rendered message
    message_parts = []
    fields = {}
    for item in template:
        if isinstance(item, str):
            message_parts.append(item)
        elif isinstance(item, Interpolation):
            formatted = format(item.value, item.format_spec) if item.format_spec else str(item.value)
            message_parts.append(formatted)
            fields[item.expression] = item.value

    return {
        "timestamp": datetime.now().isoformat(),
        "level": level,
        "message": "".join(message_parts),
        "fields": fields,
        "template": "".join(
            s if isinstance(s, str) else "{" + s.expression + "}"
            for s in template
        )
    }

# Usage
user = "alice"
action = "login"
duration_ms = 142.5

entry = log_structured("INFO", t"User {user} performed {action} in {duration_ms:.0f}ms")
print(json.dumps(entry, indent=2))

Output:

{
  "timestamp": "2026-04-06T10:30:00.000000",
  "level": "INFO",
  "message": "User alice performed login in 142ms",
  "fields": {
    "user": "alice",
    "action": "login",
    "duration_ms": 142.5
  },
  "template": "User {user} performed {action} in {duration_ms}ms"
}

Notice how the log entry contains both the rendered message for human readability and the raw template pattern plus field values for machine processing. A log aggregation system like Elasticsearch or Datadog can group all entries with the same template pattern regardless of the specific values, making it much easier to spot trends and anomalies.

Shell Command Builder with Escaping

Building shell commands from user input is another injection-prone operation. T-strings make it safe:

# shell_safe.py
from templatelib import Template, Interpolation
import shlex

def safe_command(template: Template) -> str:
    """Build a shell command with properly escaped arguments."""
    parts = []
    for item in template:
        if isinstance(item, str):
            parts.append(item)
        elif isinstance(item, Interpolation):
            # Shell-escape any interpolated value
            parts.append(shlex.quote(str(item.value)))
    return "".join(parts)

# Dangerous user input
filename = 'my file.txt; rm -rf /'

cmd = safe_command(t"cat {filename} | grep 'pattern'")
print(cmd)

Output:

cat 'my file.txt; rm -rf /' | grep 'pattern'

The shlex.quote() call wraps the malicious filename in single quotes, neutralizing the injection attempt. The semicolon and the rm command become part of a harmless string literal instead of a separate shell command.

Nested Templates and Composition

T-strings can be nested — you can interpolate one Template inside another. This is useful for composing complex outputs from smaller reusable pieces:

# nested_templates.py
from templatelib import Template, Interpolation

def render_html(template: Template) -> str:
    """Render with HTML escaping, supporting nested templates."""
    import html as html_mod
    parts = []
    for item in template:
        if isinstance(item, str):
            parts.append(item)
        elif isinstance(item, Interpolation):
            if isinstance(item.value, Template):
                # Recursively render nested templates
                parts.append(render_html(item.value))
            else:
                parts.append(html_mod.escape(str(item.value)))
    return "".join(parts)

# Build a page from composable pieces
title = "My Page"
username = '<b>Alice</b>'

header = t"<header><h1>{title}</h1></header>"
body = t"<main>Welcome, {username}</main>"
page = t"<html>{header}{body}</html>"

print(render_html(page))

Output:

<html><header><h1>My Page</h1></header><main>Welcome, &lt;b&gt;Alice&lt;/b&gt;</main></html>

The nested templates get recursively processed, so the HTML structure from the inner templates passes through as trusted content while user-provided values like username still get escaped. This composability pattern is what makes t-strings viable for real template engines, not just one-off string operations.

Real-Life Example: Safe HTML Email Builder

Let us tie everything together with a practical project — a safe HTML email builder that uses t-strings to prevent injection while keeping the template code clean and readable:

# email_builder.py
from templatelib import Template, Interpolation
import html as html_mod

def render_email(template: Template) -> str:
    """Render an HTML email template with auto-escaping."""
    parts = []
    for item in template:
        if isinstance(item, str):
            parts.append(item)
        elif isinstance(item, Interpolation):
            if isinstance(item.value, Template):
                parts.append(render_email(item.value))
            else:
                parts.append(html_mod.escape(str(item.value)))
    return "".join(parts)

def build_order_email(customer_name: str, items: list[dict], total: float) -> str:
    """Build an order confirmation email safely."""
    # Build item rows from potentially untrusted product names
    rows = []
    for item in items:
        row = t"<tr><td>{item['name']}</td><td>{item['qty']}</td><td>${item['price']:.2f}</td></tr>"
        rows.append(render_email(row))
    item_rows = "\n".join(rows)

    email = t"""<html>
<body style='font-family: Arial, sans-serif;'>
  <h2>Order Confirmation</h2>
  <p>Hi {customer_name},</p>
  <p>Thank you for your order! Here is your summary:</p>
  <table border='1' cellpadding='8' cellspacing='0'>
    <tr style='background: #333; color: white;'>
      <th>Product</th><th>Qty</th><th>Price</th>
    </tr>
    {item_rows}
  </table>
  <p><strong>Total: ${total:.2f}</strong></p>
</body>
</html>"""

    return render_email(email)

# Test with potentially malicious input
order_items = [
    {"name": 'Python Book <script>alert("xss")</script>', "qty": 1, "price": 39.99},
    {"name": "USB-C Cable", "qty": 2, "price": 12.50},
    {"name": "Mechanical Keyboard", "qty": 1, "price": 89.00},
]

result = build_order_email(
    customer_name="Bob <img src=x onerror=alert(1)>",
    items=order_items,
    total=153.99
)
print(result)

Output:

<html>
<body style='font-family: Arial, sans-serif;'>
  <h2>Order Confirmation</h2>
  <p>Hi Bob &lt;img src=x onerror=alert(1)&gt;,</p>
  <p>Thank you for your order! Here is your summary:</p>
  <table border='1' cellpadding='8' cellspacing='0'>
    <tr style='background: #333; color: white;'>
      <th>Product</th><th>Qty</th><th>Price</th>
    </tr>
    <tr><td>Python Book &lt;script&gt;alert(&quot;xss&quot;)&lt;/script&gt;</td><td>1</td><td>$39.99</td></tr>
<tr><td>USB-C Cable</td><td>2</td><td>$12.50</td></tr>
<tr><td>Mechanical Keyboard</td><td>1</td><td>$89.00</td></tr>
  </table>
  <p><strong>Total: $153.99</strong></p>
</body>
</html>

Both the customer name and the malicious product name get HTML-escaped automatically, while the table structure and email markup remain intact. This is exactly the kind of “secure by default” behavior that t-strings were designed to provide. You could extend this pattern with a Safe wrapper class for pre-sanitized values that should not be double-escaped.

Frequently Asked Questions

What version of Python do I need to use t-strings?

T-strings require Python 3.14 or later. They were introduced through PEP 750 and are part of the standard library via the templatelib module. If you are on an earlier version, you will need to upgrade. You can check your version by running python --version in your terminal. Python 3.14 was released in October 2025.

How are t-strings different from str.format() and Template strings?

The str.format() method and string.Template both produce finished strings — they do not give you access to the interpolated values before rendering. T-strings produce a Template object that keeps static text and dynamic values separate, letting you process each value individually. This makes t-strings the only built-in option that supports safe, context-aware rendering out of the box.

Are t-strings slower than f-strings?

T-strings have slightly more overhead than f-strings because they create a Template object instead of immediately concatenating a string. However, the difference is negligible for most applications. The extra cost is in the range of microseconds per operation. If you are in a tight loop formatting millions of strings per second and do not need custom processing, stick with f-strings. For everything else, the safety and flexibility of t-strings more than justify the small performance cost.

Can I use t-strings as a drop-in replacement for f-strings?

Not directly, because t-strings return a Template object instead of a str. You need a rendering function to convert the template to a string. However, writing a simple render() function that concatenates all parts without modification gives you f-string-equivalent behavior. The migration path is: change the prefix from f to t, add a render call, then gradually add escaping or processing logic where needed.

Will web frameworks like Django and Flask adopt t-strings?

Several framework maintainers have expressed interest in t-string integration. The Django template engine and Jinja2 (used by Flask) could potentially use t-strings as a lower-level primitive for their template rendering. However, adoption takes time — expect third-party libraries to provide t-string-based template engines before the major frameworks integrate them into their core APIs. In the meantime, you can use t-strings in your own application code alongside existing template engines.

Conclusion

T-strings bring a powerful new capability to Python’s string formatting toolkit. We covered the basic syntax and the Template object anatomy, then built practical processors for HTML escaping, SQL parameterization, structured logging, and shell command safety. The real-life email builder project showed how these patterns combine to create secure-by-default templating in real applications.

The key takeaway is that t-strings do not replace f-strings — they complement them. Use f-strings for quick formatting where safety is not a concern, and use t-strings when interpolated values need processing before they reach the output. The ability to inspect and transform each value individually is what makes the difference between a convenient string and a secure one.

For the complete specification, read PEP 750 and the templatelib documentation.

Related Articles

• Complete Guide to Python Type Hints and Mypy
• How To Read and Write JSON Files in Python
• How To Use Python dataclasses Effectively