Thanks for filing the feedback so we can update the documentation. In the meantime, I can provide a quick overview:
These functions behave mostly like the equivalent functions without "Validated" in the name that you might have used before. They additionally add validation behavior on top of them. In general, string format specifiers are very powerful, but if provided by untrusted sources they can lead to security vulnerabilities. Format specifiers can lead to interpreting arguments as arbitrary types and dereferencing arbitrary memory, so it's important that your format strings are always trusted. However, in some cases your format string may be untrusted (for example, if the format string is received from a network request). In these cases, the validated APIs allow you to provide two strings: the untrusted format string, and a separate validFormatSpecifiers string that is trusted and guaranteed to match the provided arguments. During formatting, if the untrusted string's specifiers do not match the trusted string's specifiers, this API safely reports an error rather than continuing and crashing (or worse).
For example, if you write the following code:
[[NSString alloc] initWithValidatedFormat:untrustedFormat validFormatSpecifiers:@"%@%ld" locale: nil error: &error, myObject, someInteger]
If untrustedFormat is Hello %@ x%ld! then formatting will succeed. However if the untrusted format string is Malicious multiple objects %@ and %@ formatting will fail with an error because it is not safe to dereference the integer argument as an object.
This can also be very useful when building with -Wformat-nonliteral which requires format strings to be literals (so that the compiler can guarantee they match the provided arguments via -Wformat-security). If you can't make your format string a literal, you can use these validated functions to provide a different literal that we validate against the non-literal format string at runtime.
