Marc Weber wrote:
I still don't get it.
Who is going to add style attributes causing injections?
The user (client side): can do so anyway by using javascript: urls in the
browser
window or firebug lite like tools
The programmer? The programmer can do whatever he/she wants anyway.
In which way is it different from the programmer using eval in an unsafe
way?
It's just like using eval() in an unsafe way, but Ur/Web rules out
eval()! An invariant of Ur/Web is that strings are never interpreted as
programs and executed, unless your program contains an explicit interpreter.
_______________________________________________
Ur mailing list
[email protected]
http://www.impredicative.com/cgi-bin/mailman/listinfo/ur
