Fwd: JEP-326: Adding "escape()" and "unescape()" to java.lang.String

Brian Goetz brian.goetz at oracle.com
Wed Oct 24 19:57:46 UTC 2018


Received through the suggestion box.  

This offers another reason why the proposed `escape()` methods are questionably named (in addition to it being confusing which direction is “escape” and which is “unescape”), which is: users could confuse it for something that does quoting of malicious characters.)  



> Begin forwarded message:
> 
> From: Art O Cathain <art.home at gmail.com>
> Subject: JEP-326: Adding "escape()" and "unescape()" to java.lang.String
> Date: October 24, 2018 at 3:46:06 PM EDT
> To: amber-spec-comments at openjdk.java.net
> 
> I wonder at the wisdom of adding methods with such broad names to a
> fundamental type such as String. Developers are confused enough about
> escaping HTML and SQL - there is danger they'll simply concatenate
> some strings together, then call "escape()" and go home for the day,
> thinking their code is now secure.
> 
> Is there a more appropriate pair of names that indicates the type of
> escaping that will be performed?
> 
> Art O Cathain

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openjdk.java.net/pipermail/amber-spec-experts/attachments/20181024/84759c7f/attachment.html>


More information about the amber-spec-experts mailing list