: `eval` is a DOM XSS sink. *shrug* Evaluating that risk is up to the developer. @mikesherov @SlexAxton @The_Brown_Shoe
-
-
yeah; that's why no large scale website disabled eval.
@mikewest@mikesherov@SlexAxton@The_Brown_Shoe -
the fact that we ended up at a place where ember developers like you feel frustrated is the real sad part here
@mikewest -
yes. For what it's worth I've participated in writing memos explaining why it's OK to use eval for dynamic loading.
-
I was on the rails security team and I'm on the ember security team. I worked on vulns like https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0447 …
-
I understand this stuff but feel that people who are focused on eliminating threats need to be tempered by people 1/
-
focused on ergonomics, and there aren't enough of the latter in the current process. In fact, the process is dominated 2/
-
by an impression that ergonomics are a low order bit (hence the almost-rage in the above thread) 3/3
-
agreed 100%. My pet peeve.
@mikewest
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.