[Ur] Supporting 'style' attribute securely
Adam Chlipala
adamc at impredicative.com
Sun Apr 15 14:12:00 EDT 2012
Marc Weber wrote:
> I still don't get it.
> Who is going to add style attributes causing injections?
>
> The user (client side): can do so anyway by using javascript: urls in the browser
> window or firebug lite like tools
>
> The programmer? The programmer can do whatever he/she wants anyway.
> In which way is it different from the programmer using eval in an unsafe
> way?
It's just like using eval() in an unsafe way, but Ur/Web rules out
eval()! An invariant of Ur/Web is that strings are never interpreted as
programs and executed, unless your program contains an explicit interpreter.
More information about the Ur
mailing list