[Ur] No sql_injectable(_prim) xbody (or xml in general).
Adam Chlipala
adamc at csail.mit.edu
Fri Nov 3 08:00:03 EDT 2017
On 11/02/2017 11:19 PM, Artyom Shalkhakov wrote:
> 2017-11-03 1:59 GMT+06:00 Peter Brottveit Bock <post at peterbb.net
> <mailto:post at peterbb.net>>:
>
> It seems to me that it's not possible to store xml in a database.
> Is there any reason for this?
>
>
> Storing it in a database is prone to XML/HTML injection (therefore the
> general case is disallowed).
Right, that's true. However, it shouldn't be a concern when only your
Ur/Web app accesses that database.
Still, overnight I thought of another issue: legitimate JavaScript code
within HTML fragments can become illegitimate across versions of your
Ur/Web app! A global identifier may no longer exist, causing an
unbound-identifier exception when using HTML retrieved from the
database. To me, this is the kiss of death, reminding me why this
feature deserves to be left out.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.impredicative.com/pipermail/ur/attachments/20171103/59484970/attachment.html>
More information about the Ur
mailing list