Kawa-smart-substitution
[!meta title="Smart string substitution in Kawa"]]
Many tools are controlled by a text-based domain-specific language (DSL).
These include SQL, JSON, various XML-based languages, and of course
various shell languages. Sometimes you want to invoke tools from
a programming language, and so you construct text commands in this DSL.
Thiese commands typically have a fixed (literal) template,
which is filled in with context-dependent data. This data is commonly
strings, which become string literals in the DSL, which means the
data has to quoted/escaped to have the appropriate syntax for the DSL.
If you fail to quote, or do it wrong, you risk bugs;
if the data comes from an untrusted source, you
risk a
code injection vulnerability.
((unquoted))