lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

* Yuri Takhteyev:

> While XSS attacks are almost always based on browser bugs,

Not true.  Most of them are caused by templating engines which do not
differentiate between template contents and externally supplied data
at the type level.  (This does not need a static type system, a
dynamic type system is completely sufficient.)

It's actually fairly easy to patch existing templating frameworks to
implement this, but you may lose tool support along the way.  And if
the template framework does not support the moral equivalent of
subroutines, the changes are not backwards-compatible.