[!meta title="Smart string substitution in Kawa"]] Many tools are controlled by a text-based domain-specific language (DSL). These include SQL, JSON, various XML-based languages, and of course various shell languages. Sometimes you want to invoke tools from a programming language, and so you construct text commands in this DSL. Thiese commands typically have a fixed (literal) template, which is filled in with context-dependent data. This data is commonly strings, which become string literals in the DSL, which means the data has to quoted/escaped to have the appropriate syntax for the DSL. If you fail to quote, or do it wrong, you risk bugs; if the data comes from an untrusted source, you risk a code injection vulnerability. ((unquoted))