Github user greenman18523 commented on the issue:
https://github.com/apache/commons-lang/pull/335
Hello @stokito
> As I understood you are telling about more safety and do not unmask any
symbol if incoming string is too short while implementation which I proposed
will try to show at least some symbols from start.
For example mask("123456", 4, 4) = "12****" which makes hidden symbols more
guessable.
But, to be honest, if someone uses so short password then it doesn't matter
if it will be shown.
Yes, safety is my main concern. But in cases of arbitrary length data (e.g.
names, addresses, messages), it's harder to say that one approach (the one
implicitly specified in the method) on how many chars are masked or not is the
correct. Also as a programmer I would like to have the flexibility to specify
it, since regulations can differ world-wide.
But since your approach is meaningful in cases of specific-length data, I
guess we can have two method, sharing one implementation.
`public static String mask(final String str, int unmaskedStart, int
unmaskedEnd, final char mask)`
and
`public static String mask(final String str, int unmaskedStart, int
unmaskedEnd, int minMasked, final char mask)`
with one calling the other.
I agree that the methods should be failsafe, otherwise we will need to
place boilerplate code before calling them and I think it should be a
one-liner, since as you say, main usage will be in logs.
Performance wise I think it is ok, and above all better to not rush on this
matter, since it might not be needed.
P.S. I wouldn't use this for passwords, as anything can tip a malicious 3rd
party, even the length. Better to not print anything.
---
