Fwd: JEP-326: Adding "escape()" and "unescape()" to java.lang.String
brian.goetz at oracle.com
Wed Oct 24 19:57:46 UTC 2018
Received through the suggestion box.
This offers another reason why the proposed `escape()` methods are questionably named (in addition to it being confusing which direction is “escape” and which is “unescape”), which is: users could confuse it for something that does quoting of malicious characters.)
> Begin forwarded message:
> From: Art O Cathain <art.home at gmail.com>
> Subject: JEP-326: Adding "escape()" and "unescape()" to java.lang.String
> Date: October 24, 2018 at 3:46:06 PM EDT
> To: amber-spec-comments at openjdk.java.net
> I wonder at the wisdom of adding methods with such broad names to a
> fundamental type such as String. Developers are confused enough about
> escaping HTML and SQL - there is danger they'll simply concatenate
> some strings together, then call "escape()" and go home for the day,
> thinking their code is now secure.
> Is there a more appropriate pair of names that indicates the type of
> escaping that will be performed?
> Art O Cathain
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the amber-spec-experts