moo.core.tests.test_security_sandbox.test_str_format_dunder_blocked

moo.core.tests.test_security_sandbox.test_str_format_dunder_blocked()

str.format() is blocked to prevent C-level dunder traversal. ‘{0.__class__}’.format(obj) bypasses _getattr_ entirely because Python’s format engine resolves attribute chains using the real C-level getattr. Blocking access to .format on string instances closes this vector.