Safe usage of text fields from message templates

Static source code analysis tool for C and C++ code

Brought to you by: danielmarjamaki

Safe usage of text fields from message templates

Forum: Development

Creator: Markus Elfring

Created: 2018-10-20

Updated: 2018-10-21

Markus Elfring - 2018-10-20

Fields can be specified for the construction of error messages by the program parameters “--template” and “--template-location”. This functionality is generally useful.
But I suggest to consider another software development concern when such a field can provide free-form text. If you would like to achieve a customised data transfer by this programming interface in a safe way, you should be able to determine the text end from this information source somehow.

I imagine that two transformation approaches can be appropriate there.

Specification of a delimiting identifier which must not occur in the text.

Conversion of the data to a well-known format (like Base64)

Last edit: Markus Elfring 2018-10-20
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Daniel Marjamäki - 2018-10-21

it has worked this way for almost 10 years. people use it. so we can't just change it.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
- Markus Elfring - 2018-10-21
  
  The functionality can be extended for safe data processing with message templates, can't it?
  
  If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Log in to post a comment.