[stringtemplate-interest] format="random string" harmful
Terence Parr
parrt at cs.usfca.edu
Sun Oct 1 14:57:30 PDT 2006
Hi,
I just realized that allowing the random format string to dictate
which function to call on some formatter object is way too big of a
whole. It is the same thing as velocity that allows you to pass in a
model and call random methods on it. Imagine:
$"select * from Users"; format="query"$
weird, but would call renderer.query("select * from Users"). Pass in
a DB object and we have a problem.
I think that I need to stay probably with a predefined set of
useful functions that you can apply to attributes. In fact, the
function style syntax of $upperCase(name)$ might be the right
answer. Regardless of the syntax, I think the only way to enforce
the separation is to prevent users from providing random code that
you can call from the template.
I suppose with that limitation then
$bday; format="verbose"$
and
$names; format="upperCase"$
can be the syntax. It would be calling pre-existing functions with
those names-- the user cannot provide those methods.
Ter
More information about the stringtemplate-interest
mailing list