I think that eval is dangerous only if user use it to eval input taken form user, and when it can be exploit to execute arbitrary code.
I don't see the difference between eval and php parser the user code will be the same, the only thing that will change is our implementation in Aiki. On Thu, 23 Feb 2012 04:57:35 +0200 Bassel Safadi <bassel.saf...@gmail.com> wrote: > eval is too dangerous unless we exclude every single bad script. > using the php parser that is written in php will enable us to to > create parser trees which will help aiki to understand what the > custom php script written by the user is trying to do > > -- > Bassel Safadi | http://bassel.ws > Skype: i.know.sy | Global: +1-323-545-3855 > > > On Thu, Feb 23, 2012 at 3:09 AM, Jon Phillips <j...@fabricatorz.com> > wrote: > > > Might as well just allow an eval() then for php code in a widget, > > but I think we should allow for selection of a markup per-widget, > > so we can have more specific control over this. I still want to > > think thru, what are the real security considerations for just > > allowing php? > > > > Jon > > > > On Thu, Feb 23, 2012 at 8:10 AM, Bassel Safadi > > <bassel.saf...@gmail.com> wrote: > > > here is a cool project https://github.com/nikic/PHP-Parser > > > we can get inspired or use this for aiki markup. we should just > > > allow peaceful php code to be excuted inside the widgets instead > > > of inventing new markup. it's easier to just write php. > > > > > > -- > > > Bassel Safadi | http://bassel.ws > > > Skype: i.know.sy | Global: +1-323-545-3855 > > > > > > > > -- > > Jon Phillips 王✳爻气 http://fabricatorz.com ✳ skype: kidproto ✳ > > irc: rejon +1.415.830.3884 (global) ✳ +86-187-1003-9974 (beijing) > > -- Jakub Jankiewicz twitter: @jcubic www: http://jcubic.pl _______________________________________________ Mailing list: https://launchpad.net/~aikiframework-devel Post to : aikiframework-devel@lists.launchpad.net Unsubscribe : https://launchpad.net/~aikiframework-devel More help : https://help.launchpad.net/ListHelp
