Github user stokito commented on the issue:
https://github.com/apache/commons-lang/pull/335
Hi @greenman18523
> would you consider an extra parameter, to clearly specify the minimum
number of masked characters?
For those use cases which I mentioned (masking credit cards and passwords)
this looks not needed for me. Maybe you know some cases when this may be needed?
As I understood you are telling about more safety and do not unmask any
symbol if incoming string is too short while implementation which I proposed
will try to show at least some symbols from start.
For example `mask("123456", 4, 4) = "12****"` which makes hidden symbols
more guessable.
But, to be honest, if someone uses so short password then it doesn't matter
if it will be shown.
Another solution in this case we can mask everything when str len is 6 <
unmaskendStart 4 + unmaskedEnd 4. I.e. `mask("123456", 4, 4) = "******"`. This
is easier to understood but in the same time it still may be useful to unmask
at least something but I don't think it's so critical.
What do you think about this proposition? E.g.
```
mask("12345678", 4, 4) = "********"
mask("123456789", 4, 4) = "****5****"
mask("1234567890", 4, 4) = "****56****"
```
I hope that `unmaskedStart` and `unmaskedEnd` in real life will be always
reasonable (1-6) and the incoming string will be always bigger. We can actually
restrict passing strings less that some length and throw an exception.
But from possible use cases it looks that `mask()` function should be
failsafe because it may be used just for logging of external input which can be
anything and we shouldn't break it's processing. I even think about returning
an empty string if null was passed.
Also we have to think about performance because I expect that the function
will be widely used for in logging filters for any incoming request.
---
