Improve code security and simplify Java code with String Templates
Published on April 28, 2023
For JDK 21, JEP 430, String Templates (Preview), has been promoted from Proposed to Target to Targeted status. This feature JEP type proposes the addition of string templates, which are similar to string literals, but are enhanced with embedded expressions incorporated during runtime into the string template.
Using string templates, Java developers can produce specialized results by coupling literal text with embedded expressions and processors. In addition to simplifying the writing of Java programs, this new feature improves the readability of expressions that mix text and expressions, and enhances the security of Java programs that compose strings based on values provided by users.
This JEP introduces a new type of expression called a template expression that allows developers to perform string interpolation and compose strings safely and efficiently. It is important to note that template expressions are programmable and are not limited to composing strings. Using domain-specific rules, they are capable of transforming structured text into any kind of object. To create a template expression, a template processor combines the literal text in the template with the values of any embedded expressions at runtime.
The syntax of a template expression is similar to that of a string literal, but with the addition of a prefix. An expression is contained in the second line of the above code.
In contrast, String interpolation allows programmers to combine string literals and expressions into a single string, as many programming languages do, providing greater convenience and clarity than traditional string concatenation. It can, however, result in dangerous strings that may be misinterpreted by other systems, especially when dealing with SQL statements, HTML/XML documents, JSON snippets, shell scripts, and natural language text. Java requires developers to validate and sanitize strings containing embedded expressions using escape and validate methods in order to prevent security vulnerabilities.
It would be more efficient and safe to implement a first-class, template-based mechanism for composing strings that automatically applies template-specific rules to each string, resulting in escaped quotes for SQL statements, no illegal entities for HTML documents, and boilerplate-free localization of messages. The developer does not have to manually escape each embedded expression and validate the entire string as a result of this approach. Exactly that is what the template expression does in Java, as opposed to String interpolation used by other popular programming languages.
Due to the design of the template expression, it is not possible to go directly from a string literal or text block containing embedded expressions to a string with the expressions’ values interpolated. The purpose of this is to prevent dangerously incorrect strings from spreading throughout the program. A template processor, such as STR, FMT, or RAW, processes the string literal, validates the result, and interpolates the values of embedded expressions.
Two template processors are provided by Java for performing string interpolation: STR and FMT. STR replaces each embedded expression in the template with its (stringified) value, while FMT interprets format specifiers appearing to the left of embedded expressions. There are the same format specifiers as those defined in java.util.Formatter. It is possible to use the standard RAW template processor in cases where the unprocessed template is required. In this processor, the original template is returned without any interpolation or processing.
Additionally, developers can create their own template processors for use in template expressions. A template processor implements the functional interface ValidatingProcessor, and its class implements the single abstract method ValidatingProcessor, which takes a StringTemplate and returns an object. Template processors can be customised so that they can perform validation at runtime and return objects of any type, not just strings.
In conclusion, template expressions in Java make string interpolation and string composition easy and safe for developers.
ChatGPT Is Fun, but the Future Is Fully Autonomous AI for Code at QCon London
A presentation on artificial intelligence (AI) for code writing was given by Mathew Lodge, CEO of DiffBlue, at the…
New Java SE Universal Subscription from Oracle
Since January 2023, Oracle has announced the new Java SE Universal subscription and pricing, which will replace ..