- From: Ian Dickinson <ian.dickinson@hp.com>
- Date: Sat, 07 Oct 2006 19:32:55 +0100
- To: Richard Newman <r.newman@reading.ac.uk>
- Cc: SW-forum <semantic-web@w3.org>
Richard Newman wrote:
> Because RDF/XML, SPARQL-XML, and turtle are great, but nothing beats
>
> var mine = eval ("(" + input + ")");
>
> in Javascript.
Isn't that something of a glaring security hole? Passing an arbitrary
string to eval seems to me to just invite compromises analogous to SQL
injection attacks.
Ian
___________________________________________________________________
Ian Dickinson HP Labs, Bristol, UK mailto:ian.dickinson@hp.com
http://www.hpl.hp.com/personal/Ian_Dickinson ph:+44-117-312-8796
Received on Saturday, 7 October 2006 18:33:00 UTC