New candidate JEP: 430: String Templates (Preview)

Thu Sep 22 03:02:01 UTC 2022

> Just curious, doesn’t JSP/JSF processing already use a “string 
> template” type paradigm using a ${} type syntax.  Would any changes 
> here be usable either or or there?

You're thinking of "EL" (expression language).  This works by using a 
Map-like context for key-values pairs, but the expressions are encoded 
as strings: "${foo.bar.baz}" where it looks in the context for "foo", 
then looks for a bar() / getBar() method or bar field, etc.  String 
templates would have given us a better way to express such things, that 
aren't quite so stringly typed.

> Given recent log4j security issues, is there any possible risk that 
> expansion could introduce some exploitable logic?  Does any sort of 
> constraint or mechanism need to protect against that or am I I er 
> thinking it?

That would be a function of the template processor.  One could certainly 
write a template processor that was vulnerable in the same way Log4j was.

>
>
>
> Get Outlook for iOS 
> <https://urldefense.com/v3/__https://aka.ms/o0ukef__;!!ACWV5N9M2RV99hQ!PybBKxO0tCvcjBLrZ2nYFX_Q2Towex3Sa0F-v6rHj0z5R2gxJLhUaHpUHx5f9yQxbxcXGVtQMBXIXZsZ$>
> ------------------------------------------------------------------------
> *From:* jdk-dev <jdk-dev-retn at openjdk.org> on behalf of Attila Kelemen 
> <attila.kelemen85 at gmail.com>
> *Sent:* Wednesday, September 21, 2022 6:20 PM
> *To:* Brian Goetz <brian.goetz at oracle.com>
> *Cc:* amber-dev at openjdk.org <amber-dev at openjdk.org>; 
> jdk-dev at openjdk.org <jdk-dev at openjdk.org>
> *Subject:* Re: New candidate JEP: 430: String Templates (Preview)
> Thanks for the responses. See some of my clarifications below.
>
> > >
> > > 1. Might be a personal preference, but I find the
> > > `TemplateProcessorExpression . Template` syntax bizarre.
> >
> > We knew that at least one out of the 10M Java developers would loudly
> > proclaim "I hate the syntax", so congratulations, it's you :)   New
> > syntaxes are risky; people are used to "${foo}" in other languages, and
> > this is new and different, and sometimes different is scary.  But, it
> > wasn't picked out of a hat; a good deal of thought has gone into this,
> > and so while it may seem weird now, give it a year and I suspect it will
> > not seem so odd.  (In any case, amber-dev isn't the forum for syntax
> > discussions, so let's leave this here.)
>
> Just to clear the misunderstanding: I was not commenting on the "\{foo}",
> I consider that a good thing (better than "${foo}" for sure, and "${foo}"
> would not even be a compatible change). I was talking about the:
> `STR."bla ${myVar} bla"`. As opposed to just calling the respective 
> methods.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/amber-dev/attachments/20220921/47e597d4/attachment-0001.htm>