>You don't have to escape arguments, for example, below shouldn't crash on
any version of .NET .
>We you perhaps instead passing user input as the format string instead?
That you will have to escape.
Oops! Sorry, you're right, I had it backwards. The format string contains
"{Intention}" not the argument.
>http://geekswithblogs.net/jonasb/archive/2007/03/05/108023.aspx
This is a well known answer, my puzzle is one of scope of the problem. There
are so many string.Formats in my code (thousands scattered over dozens of
solutions) that I can't find an elegant way of globally intercepting the
problem at the different levels from the UI all the way down to the lowest
back end.
It's not even trivial to identify which of my Format calls are at risk of
the braces crash. Finding them would be like performing a security audit. I
think we all have string formatting time-bombs in our code.
Greg
