Interpretation of Java format strings is stricter than in languages such as C. The standard library implementations throw appropriate exceptions when any conversion argument fails to match the corresponding flagformat specifier. This approach reduces opportunities for malicious exploits. Nevertheless, malicious user input can exploit format strings and can cause information leaks or denial of service. As a result, strings from an untrusted source should not be incorporated into format strings.
...
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="47be0211a45a54dd-0635b6c5-44ad42a9-b1dc9b81-00cc4651338a2f0c05cfda8f"><ac:plain-text-body><![CDATA[ | [ISO/IEC TR 24772:2010 | http://www.aitcnet.org/isai/] | "Injection [RST]" | ]]></ac:plain-text-body></ac:structured-macro> |
CWE-134, "Uncontrolled Format String" |
...
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="000666e551779c40-7eed9aea-432b4383-9f989d26-ccbbb6963c692137e64078f8"><ac:plain-text-body><![CDATA[ | [[API 2006 | AA. Bibliography#API 06]] | [Class Formatter | http://java.sun.com/javase/6/docs/api/java/util/Formatter.html] | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="6f2d3295383cb6b9-987d556a-4e0048d4-93899fb7-904cfbdcac61d393c1e088e7"><ac:plain-text-body><![CDATA[ | [[Seacord 2005 | AA. Bibliography#Seacord 05]] | Chapter 6, Formatted Output | ]]></ac:plain-text-body></ac:structured-macro> |
...