I’m really interested in the scenario where you are passing user input as the
format string – do you have user input with placeholders ({0}) that you need to
fill?
From: [email protected] [mailto:[email protected]] On
Behalf Of mike smith
Sent: Thursday, February 03, 2011 4:34 PM
To: ozDotNet
Subject: Re: string.Format and curly braces
Re-write all your Format calls to preFormat, which does a sanity check on
parameters? It'd let you do a global search replace thru your code, and give
you one spot to add escaping of the braces if the contents of the braces didn't
meet a pre-determined string.
On Thu, Feb 3, 2011 at 5:34 PM, Greg Keogh
<[email protected]<mailto:[email protected]>> wrote:
>You don’t have to escape arguments, for example, below shouldn’t crash on any
>version of .NET .
>We you perhaps instead passing user input as the format string instead? That
>you will have to escape.
Oops! Sorry, you're right, I had it backwards. The format string contains
"{Intention}" not the argument.
>http://geekswithblogs.net/jonasb/archive/2007/03/05/108023.aspx
This is a well known answer, my puzzle is one of scope of the problem. There
are so many string.Formats in my code (thousands scattered over dozens of
solutions) that I can't find an elegant way of globally intercepting the
problem at the different levels from the UI all the way down to the lowest back
end.
It's not even trivial to identify which of my Format calls are at risk of the
braces crash. Finding them would be like performing a security audit. I think
we all have string formatting time-bombs in our code.
Greg
--
Meski
"Going to Starbucks for coffee is like going to prison for sex. Sure, you'll
get it, but it's going to be rough" - Adam Hills
