[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: Re: HTML-generating _ENV
- From: Tangent 128 <tangent128@...>
- Date: Tue, 20 Nov 2012 01:39:27 -0500
On 11/18/2012 06:02 PM, Jay Carlson wrote:
> One very nice thing is that it produces correct HTML without any extra
> effort. Strings encountered during processing are considered to
> be...strings. There is a separate type for "HTML fragment" (a
> particular metatable) so you have to go out of your way to let people
> inject cross-side scripting. You mark strings with rawHTML() if you're
> willing to guarantee that what you're putting in is well-formed,
> properly quoted HTML. I know the point was _ENV stuff, but entirely
> too much Web hackery requires special effort to keep these things
> straight, and I'm happy to see good examples. There's still charset
> correctness to worry about, but standard Lua doesn't help much there
> (since C doesn't either).
Yeah, a friend from the Ruby world looked at me pretty strongly until I
implemented that safety approach. :P
As for charsets... with proper webserver configuration, most people are
lucky enough these days to be able to simply insist on UTF-8. (unless
there are security risks beyond mojibake that hermetic handling of
strings won't mitigate? Would be interesting to hear about...)
> OTOH, your example had a fun braino:
>> do _ENV = htmlua
> ...
>> end
>> -- use tostring(result)
> tostring(result) ->" <tostring>"..result.."</tostring>"
> print(result) -> "<print>"..result.."</print>"
>
> :-)
I make a habit of fixing functions I use as locals for faux
optimization, works fine for me. ;)
~Joseph