Github user stokito commented on the issue: https://github.com/apache/commons-lang/pull/335 Hi @greenman18523 > would you consider an extra parameter, to clearly specify the minimum number of masked characters? For those use cases which I mentioned (masking credit cards and passwords) this looks not needed for me. Maybe you know some cases when this may be needed? As I understood you are telling about more safety and do not unmask any symbol if incoming string is too short while implementation which I proposed will try to show at least some symbols from start. For example `mask("123456", 4, 4) = "12****"` which makes hidden symbols more guessable. But, to be honest, if someone uses so short password then it doesn't matter if it will be shown. Another solution in this case we can mask everything when str len is 6 < unmaskendStart 4 + unmaskedEnd 4. I.e. `mask("123456", 4, 4) = "******"`. This is easier to understood but in the same time it still may be useful to unmask at least something but I don't think it's so critical. What do you think about this proposition? E.g. ``` mask("12345678", 4, 4) = "********" mask("123456789", 4, 4) = "****5****" mask("1234567890", 4, 4) = "****56****" ``` I hope that `unmaskedStart` and `unmaskedEnd` in real life will be always reasonable (1-6) and the incoming string will be always bigger. We can actually restrict passing strings less that some length and throw an exception. But from possible use cases it looks that `mask()` function should be failsafe because it may be used just for logging of external input which can be anything and we shouldn't break it's processing. I even think about returning an empty string if null was passed. Also we have to think about performance because I expect that the function will be widely used for in logging filters for any incoming request.
---