> On Apr 7, 2017, at 2:15 PM, Félix Cloutier via swift-evolution
> <swift-evolution@swift.org> wrote:
>
> I don't necessarily think that the concept is a bad idea, but I think that
> the interaction of Swift features facilitates poor coding decisions. For
> example, the proposal interpolates an `author` variable straight into an XML
> document, and suggests doing the same to JSON strings. To me, this shows that
> an important use case of the feature is to format payloads in a way that is
> known to cause vulnerabilities.
I don't know if it will be reviewed for Swift 4, let alone be accepted, but I
have a proposal in for a revised string interpolation protocol. One of the
major use cases I considered was types which provided safe interpolation for
things like markup languages and JSON. So, for instance, if you wrote this:
let xml: XMLString = """
<?xml version="1.0"?>
<catalog>
<book id="bk101" empty="">
<author>\(author)</author>
<title>XML Developer's Guide</title>
<genre>Computer</genre>
<price>44.95</price>
<publish_date>2000-10-01</publish_date>
<description>An in-depth look at creating applications with
XML.</description>
</book>
</catalog>
"""
XMLString could escape `author` by default, unless it were itself an
`XMLString` or you wrote the interpolation as `\(raw: author)`. And of course,
this being Swift, `XMLString` would not necessarily have to be stated
explicitly; it could come from being concatenated to an `XMLString`, passed in
an `XMLString` parameter, or assigned to an `XMLString` property.
So I think this particular concern is orthogonal to the question of supporting
multiline strings. Escaping safety is possible—it's just a separate feature.
--
Brent Royal-Gordon
Architechies
_______________________________________________
swift-evolution mailing list
swift-evolution@swift.org
https://lists.swift.org/mailman/listinfo/swift-evolution
