JEP-326: Adding "escape()" and "unescape()" to java.lang.String
james.laskey at oracle.com
Wed Oct 24 21:20:46 UTC 2018
deraw, unraw, bake, cook, …
> On Oct 24, 2018, at 4:57 PM, Brian Goetz <brian.goetz at oracle.com> wrote:
> Received through the suggestion box.
> This offers another reason why the proposed `escape()` methods are questionably named (in addition to it being confusing which direction is “escape” and which is “unescape”), which is: users could confuse it for something that does quoting of malicious characters.)
>> Begin forwarded message:
>> From: Art O Cathain <art.home at gmail.com <mailto:art.home at gmail.com>>
>> Subject: JEP-326: Adding "escape()" and "unescape()" to java.lang.String
>> Date: October 24, 2018 at 3:46:06 PM EDT
>> To: amber-spec-comments at openjdk.java.net <mailto:amber-spec-comments at openjdk.java.net>
>> I wonder at the wisdom of adding methods with such broad names to a
>> fundamental type such as String. Developers are confused enough about
>> escaping HTML and SQL - there is danger they'll simply concatenate
>> some strings together, then call "escape()" and go home for the day,
>> thinking their code is now secure.
>> Is there a more appropriate pair of names that indicates the type of
>> escaping that will be performed?
>> Art O Cathain
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the amber-spec-experts