In Java, format strings implementation is stricter than in any other languages
If any conversion argument fails to match with the corresponding format specifier, implementation method throws an exception
This method aims at limiting malicious exploits; although a malicious user input can yet exploit format strings and cause denial of service or data leaks
It is advisable to not incorporate any input strings of untrusted sources into format strings
Vulnerable Code
The code describes an informationleak issue
It accepts the expiration date of a credit card and incorporates it within the format string
Secure Code
In the code, it is ensured that user inputs are not incorporated in the formatstring
Cheng® 