@computionist @bascule For many, the benefits are somewhat abstract, until they get XSSed, whereas costs are real and immediate.
-
-
Replying to @mountain_ghosts
@jcoglan@computionist having a non-string type for untrusted data which makes you think about how you use it seems like a no brainer3 replies 0 retweets 0 likes -
Replying to @bascule
@bascule@computionist I'd rather model types (what the string 'means') than 'untrustedness', but yeah.2 replies 0 retweets 0 likes -
Replying to @mountain_ghosts
@jcoglan@computionist my main concern here would be "attacker controlled data" not sure what else even matters in that context5 replies 0 retweets 0 likes -
Replying to @bascule
@bascule@computionist So then you need to further prove the JSON doc contains expected types of things before processing it.1 reply 0 retweets 0 likes
Replying to @mountain_ghosts
@jcoglan @computionist full recognition before processing or GTFO
2:14 PM - 29 Oct 2013
0 replies
0 retweets
0 likes
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.