Re-write all your Format calls to preFormat, which does a sanity check on parameters? It'd let you do a global search replace thru your code, and give you one spot to add escaping of the braces if the contents of the braces didn't meet a pre-determined string.
On Thu, Feb 3, 2011 at 5:34 PM, Greg Keogh <[email protected]> wrote: > >You don’t have to escape arguments, for example, below shouldn’t crash on > any version of .NET . > > >We you perhaps instead passing user input as the format string instead? > That you will have to escape. > > > > Oops! Sorry, you're right, I had it backwards. The format string contains > "{Intention}" not the argument. > > > > >http://geekswithblogs.net/jonasb/archive/2007/03/05/108023.aspx > > This is a well known answer, my puzzle is one of scope of the problem. > There are so many string.Formats in my code (thousands scattered over dozens > of solutions) that I can't find an elegant way of globally intercepting the > problem at the different levels from the UI all the way down to the lowest > back end. > > > > It's not even trivial to identify which of my Format calls are at risk of > the braces crash. Finding them would be like performing a security audit. I > think we all have string formatting time-bombs in our code. > > > > Greg > -- Meski "Going to Starbucks for coffee is like going to prison for sex. Sure, you'll get it, but it's going to be rough" - Adam Hills
