13 Oct
2008
13 Oct
'08
3:30 a.m.
On Mon, Oct 13, 2008 at 08:43:48AM +0200, apfelmus wrote:
Yes. "Just" an injection problem is an understatement. And its the implementation of the abstract data type that determines how fast things are. Who said that it may not simply be a newtyped String ?
I think the attraction to the SafeString example is that it's simple and effective for the task at hand -- in other words, pragmatic. Suggesting that in order to avoid HTML injection people re-read the HTML spec and invent a complete ADT to represent all the little corner cases they probably won't ever use is exactly the kind of answer that would scare Joe Six-Pack Hockey Programmer away.