<html><body><div style="font-family: arial, helvetica, sans-serif; font-size: 12pt; color: #000000"><div><br></div><div><br></div><hr id="zwchr" data-marker="__DIVIDER__"><div data-marker="__HEADERS__"><blockquote style="border-left:2px solid #1010FF;margin-left:5px;padding-left:5px;color:#000;font-weight:normal;font-style:normal;text-decoration:none;font-family:Helvetica,Arial,sans-serif;font-size:12pt;"><b>From: </b>"Reinier Zwitserloot" <reinier@projectlombok.org><br><b>To: </b>"amber-dev" <amber-dev@openjdk.java.net><br><b>Cc: </b>"Brian Goetz" <brian.goetz@oracle.com><br><b>Sent: </b>Friday, March 31, 2023 7:11:34 PM<br><b>Subject: </b>Re: Feedback: String Templates (JEP 430)<br></blockquote></div><div data-marker="__QUOTED_TEXT__"><blockquote style="border-left:2px solid #1010FF;margin-left:5px;padding-left:5px;color:#000;font-weight:normal;font-style:normal;text-decoration:none;font-family:Helvetica,Arial,sans-serif;font-size:12pt;"><div dir="ltr"><span style="color:">On 31 Mar 2023 at 17:37:00, Brian Goetz <<a href="mailto:brian.goetz@oracle.com" target="_blank">brian.goetz@oracle.com</a>> wrote:</span><br></div><div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div><div>
</div>
<div>The
examples here are intended to motivate why the design is as it is,
and illustrate the sort of use cases we have in mind. <br></div></div></blockquote><div class="gmail_quote"><br></div><div class="gmail_quote" dir="ltr">For the JSON example, it’s just an oversimplification in the example code, but, some sort of callout that the example code is oversimplified so much it’s now insecure is warranted, no? Or just remove the implementation code, given that it isn’t all that illustrative - the example works just fine without it, given that the call-site code is the key part of the example. Just a minor nit.</div><br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><div>
<br>
<blockquote>just call `STR.process(st)` instead of
`st.interpolate()`</blockquote>
<br>
Your point here is, I think, that the `interpolate` is an
"attractive nuisance", and will make it too easy for people to do
the wrong thing without thinking. A valid concern, but on the other
hand, is the extra step going to deter those folks? <br></div></div></blockquote><div class="gmail_quote"><br></div><div class="gmail_quote" dir="ltr">I think it’ll deter a significant amount. The obvious place to look for ‘how do I String Template Processor’ is, at least in my experience, the same place folks look for just about any other API: The methods directly available on <code style="border:1px solid rgb(206,206,206);background-color:rgb(244,244,244);padding:0px 2px;border-radius:2px">StringTemplate</code>. The easy action to take, once someone has decided to write a processor, is to let the IDE generate the required signature, and then auto-complete the available parameters and methods from there. By removing <code style="border:1px solid rgb(206,206,206);background-color:rgb(244,244,244);padding:0px 2px;border-radius:2px">interpolate()</code> from that lowest-effort flow, you <i>force</i> someone to go out and look for it, which gives them some time to think and stands at least some chance of highlighting the security implications of <code style="border:1px solid rgb(206,206,206);background-color:rgb(244,244,244);padding:0px 2px;border-radius:2px">st.interpolate()</code>/<code style="border:1px solid rgb(206,206,206);background-color:rgb(244,244,244);padding:0px 2px;border-radius:2px">STR.process(st)</code>.</div><div class="gmail_quote" dir="ltr"><br></div><div class="gmail_quote" dir="ltr">This is always a very tough discussion: How much should the language design prevent silly mistakes. On one hand, perfection is quite impossible: The universe is far too good at coming up with incompetence, there is no way to stop all foreseeable abuse of an API, and therefore, that cannot be a goal. However, making an API where the obvious way to use it is subtly but dangerously incorrect, is, and surely this requires no debate, bad API design. The trick is figuring out where to draw the line. Especially considering that <code style="border:1px solid rgb(206,206,206);background-color:rgb(244,244,244);padding:0px 2px;border-radius:2px">interpolate()</code> can always be added later, but if added, cannot be removed, I recommend <i>not</i> including it in the first release of this API. The javadoc of Processor and/or StringTemplate itself should explain how one can interpolate (by using <code style="border:1px solid rgb(206,206,206);background-color:rgb(244,244,244);padding:0px 2px;border-radius:2px">STR.process(st)</code>), with all due warnings about the dangers of doing so.</div></div></blockquote><div><br></div><div>I agree that interpolate() is too easy to misuse but at the same time, it's a useful primitive.<br></div><div>I wonder if the solution is to add an escape function, a function that takes an Object and returns an Object that should escape the values to interpolate.<br data-mce-bogus="1"></div><div><br data-mce-bogus="1"></div><div>Something like<br data-mce-bogus="1"></div><div> public String StringTemplate.interpolate(UnaryOperator<Object> escapeFunction) { ... }<br data-mce-bogus="1"></div><div><br data-mce-bogus="1"></div><div>By asking for an escape function, we are making the API safer to use.<br></div><div><br data-mce-bogus="1"></div><div>Rémi<br data-mce-bogus="1"></div><div><br data-mce-bogus="1"></div></div></div></body></html>