lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

> Say a network server needs to make sure you throw only alphanumeric
> characters at it. But string.find(s, "^%w*$") will behave unpredictably,
> depending on the LC_COLLATE/LC_ALL setting. This means the regexp
> functions are a big no-no to use for any security-conscious application.

You can write "^[A-Za-z0-9]*$" if that is what you want.

> Maybe it needs to gain more independence from libc (e.g. doing ctype
> yourself is trivial). Maybe it should not use every ISO/ANSI C library
> function, just because it's there and it's standard (but badly
> designed).

We don't use library functions "just because it's there". The problem
you mentioned about the parser involves function "strtod". This function
is big and complex. If we put a full implementation inside the Lua
core, we will be responsible for its bugs, will have to worry about its
license (probably we would "borrow" someone else's implementation), and
will increase the size of the core.

The other uses of "NLS" in the core (ctype in the lexer and strcoll 
for string comparison) were consciously chosen to be that way. They
may be bad decisions, but have nothing to do with using a function
just because it was there.

-- Roberto