| Wiki Markup |
|---|
Many classes, including {{Pattern}} and those that support {{XML}} and {{SQL}} based actions by passing {{String}} arguments to methods, allow inclusion of escape sequences in character and string literals. According to the Java Language Specification \[[JLS 05|AA. Java References#JLS 05]\] section 3.10.6 "Escape Sequences for Character and String Literals": |
...
In order to correctly use escape sequences pertaining to String literals, an understanding of how they are interpreted is essential. For example, SQL statements written in Java, sometimes require certain special escape characters or sequences (for instance, sequences containing \t, \n, \r). In SQL queries, all escape sequences must be preceded by an extra backslash for correct interpretation.
As yet another example, consider the Pattern class that finds extensive use in performing regular expression related tasks. In Java, a A given String literal used for pattern matching is compiled into an instance of the Pattern type. If the pattern to be matched contains an undesired escape sequence such as a '\n', to avoid it being interpreted by the Java bytecode compiler as an escape sequence, the Pattern class requires the literal to be preceded by a backslash:
...
Noncompliant Code Example
In the following example, This noncompliant code example defines a method splitWords() that finds matches between the String literal and the input sequence. Since Because '\b' is the escape sequence for a word boundary, the misleading notion that String literals can be used as is, can convince the implementer that the pattern matches to the word boundaries and as a result, splits a given string into individual words. Instead, the string WORDS silently compiles to a backspace character.
...
| Code Block | ||
|---|---|---|
| ||
import java.util.regex.Pattern;
public class GoodSplitter {
private final String WORDS = "\\b"; // Will allow splitting on word boundaries
public String[] split(String input){
Pattern p = Pattern.compile(WORDS);
String[] input_array = p.split(input);
return input_array;
}
}
|
Risk Assessment
Incorrect usage use of escape characters in String literals can result in misinterpretation and potential corruption of data.
...