[Ur] typechecker rejects form handler
Adam Chlipala
adamc at csail.mit.edu
Tue Jan 7 15:07:49 EST 2014
On 01/07/2014 03:03 PM, Sergey wrote:
> Well, for some reason I didn't take into account that 'show' instance
> is defined for the url type. I agree, this approach should work for
> now. But this way we handle basic cases only. For example, if I add
> one trivial requirement to my login forms task - "views should print
> errors in case of invalid login attempt" - then `form' function will
> need (string -> url) function argument rather than constant url and,
> thus, specializations. I can't see stable solution, that is why I'm so
> nervous about this problem.
Your extra requirement turns out to be easy to support using cookies,
but I'm sure we could continue the escalation and find others that are
harder. :)
For now, I don't see an "obvious good idea" change to make in Ur/Web, so
I'll wait until someone's actually current application forces a
different tack.
> By the way, you mentioned other frameworks which assigns urls to
> continuations. I suppose it makes it possible to attack such servers
> by forcing it into creating more and more continuations. But it is
> interesting to read how the authors reason about the security. Could
> you point me to some reading about this?
The continuation-based framework I've heard about the most is for Racket:
http://docs.racket-lang.org/web-server/
More information about the Ur
mailing list