Is it safe to use python str.format method with user-submitted templates in server-side?

I am working on project where users must be able to submit templates containing placeholders to be later rendered to generate dynamic content.

For example, a user might submit a template like:

"${item.price} - {item.description} / {item.release_date}"

that would be after formatted with the real values.

Using a template engine (as Django or Jinja) for this purpose would require a lot of validation and sanitizing to prevent SSTI and XSS, so I was wondering if I could use the python str.format method to create a more limited and safer alternative, since this method cannot execute python code directly (I believe).

My question is:

Is using string.format safe enough when dealing with user-submitted templates, or it would still be vulnerable to injection attacks?
If it is not, is there any alternative to implement a "safe template rendering" in python?

No, it is not generally safe to use str.format with user-provided format strings.

Off the top of my head, I came up with this toy example of how str.format with a carefully constructed format string can easily leak sensitive information from your server. Other attack vectors may also exist.

This attack only relies on the attacker knowing (or guessing) the of types of the arguments being supplied to str.format.

Running this code will print all environment variables defined on the server:

import os

class Foo:
    def foo(self):
        pass

user_format = "{f.foo.__globals__[os].environ}"
print(user_format.format(f=Foo()))

Specific to Django, this format string will print your entire settings module, complete with your DB passwords, signing keys, and all sorts of other bits of exploitable information:

user_format = "{f.foo.__globals__[sys].modules[myapp.settings].__dict__}"