Interpretation of Java format strings is stricter than that in languages such as C. The implementations in the standard libraries throw appropriate exceptions when any conversion argument fails to match the corresponding flag. This approach reduces opportunities for malicious exploits. Nevertheless, malicious user input can exploit format strings and can cause information leaks or denial of service. Therefore As a result, strings from an untrusted source shall not be incorporated into format strings.
...
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="dd898ffd6c536e62-9e455e0b-40774f10-b6688bbc-a02f11601c0777dcd3d138cf"><ac:plain-text-body><![CDATA[ | [[MITRE 2009 | AA. Bibliography#MITRE 09]] | [CWE-134 | http://cwe.mitre.org/data/definitions/134.html] "Uncontrolled Format String" | ]]></ac:plain-text-body></ac:structured-macro> |
...
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="6d52fd820c685e7a-b5461c3a-4f9b438c-9df9b9cf-e1cfd687d99ea44ee577720b"><ac:plain-text-body><![CDATA[ | [[API 2006 | AA. Bibliography#API 06]] | [Class Formatter | http://java.sun.com/javase/6/docs/api/java/util/Formatter.html] | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="61fa50918067631e-37092267-44ad4f37-856293d5-0f35aa370e2e95a09d775c22"><ac:plain-text-body><![CDATA[ | [[Seacord 2005 | AA. Bibliography#Seacord 05]] | Chapter 6, Formatted Output | ]]></ac:plain-text-body></ac:structured-macro> |
...