Update on String Templates (JEP 459)
Guy Steele
guy.steele at oracle.com
Mon Mar 18 17:53:43 UTC 2024
> On Mar 18, 2024, at 9:38 AM, Brian Goetz <brian.goetz at oracle.com> wrote:
> . . .
> A few people have implied that only the tainted parts of an ST (the embedded expressions) need special processing, but I'll point out that the untainted parts may often require domain-specific validation. For example, a ST representing a SQL query wants balanced quotes, and might want to require quotes around embedded expressions.
Thank you for mentioning this, especially in connection with SQL, which has bene much on my mind this last week. Yes, for complete safety, an SQL processor really ought to do a proper parse of the entire SQL statement represented by the fragments and verify that the “holes” filled by the expressions make sense. In elaborate cases, it may be necessary to figure out what kind of thing is represented by the hole (value, name, data type) before it can properly validate and escape the associated expression.
—Guy
More information about the amber-spec-observers
mailing list