String Interpolation
Adam Wilson
flyboynw at gmail.com
Fri Oct 27 07:59:27 UTC 2023
On Thursday, 26 October 2023 at 16:25:26 UTC, Adam D Ruppe wrote:
> On Thursday, 26 October 2023 at 16:14:08 UTC, bachmeier wrote:
>> Why not this?
>
> https://en.wikipedia.org/wiki/String_interpolation#Security_issues
Unfortunately, this is about injection attacks, not
auto-rendering, which are unrelated to whether or not the string
is auto-rendered from it's tuples form. In both cases the
formatter would have to take care of the escaping and filtering
before it is rendered into a string.
Consider that the DIP currently allows auto-decoding on a string
parameter of a method. What is the functional difference?
Furthermore, consider the following example:
```d
class Test {
public string a;
public @property string b(string value) { return a = value; }
}
Test.a = $"...{x}..."; //Compiler error
Test.b = $"...{x}..."; //No compiler error
```
This is one of those vexatious compiler errors that make no sense
when you read the code, but makes sense to the compiler. And it
doesn't actually solve anything, because the problem is with
what's passed into the string tuples, not the fact of rendering
or not.
There is a debate to be had about the foot-gun nature of all
forms of string interpolation/templating, but disabling rendering
on assignment has nothing to do with it.
More information about the Digitalmars-d
mailing list