@computionist @bascule For many, the benefits are somewhat abstract, until they get XSSed, whereas costs are real and immediate.
@jcoglan @computionist having a non-string type for untrusted data which makes you think about how you use it seems like a no brainer
-
-
@bascule@computionist I'd rather model types (what the string 'means') than 'untrustedness', but yeah. -
@jcoglan@computionist my main concern here would be "attacker controlled data" not sure what else even matters in that context -
@bascule@computionist So then you need to further prove the JSON doc contains expected types of things before processing it. -
@jcoglan@computionist full recognition before processing or GTFO
End of conversation
New conversation -
-
-
@bascule@jcoglan@computionist "but it's not agile"Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
@bascule@computionist Except, the continued massive popularity of strings would suggest this is far from obvious to people at large.Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.