> The real issue is a) above. Scripting languages, by their nature, make > heavy use of "in-band signalling", where language constructs are > embedded within data. Unless care is taken to prevent the problem, the > risk is that user-supplied "data" can effectively become user-supplied > code. I can't figure out what you are talking about, in what scripting language does user-supplied data become user-supplied code without the programmer explicitly calling some function to execute the data as code? You seem to think that substitutions triggered by metacharacters are triggered on user-inputted data as well. I can't think of any commonly used scripting language that will expand user-inputted metacharacters or execute user input as if it were code without the programmer explicitly doing such. I have seen a lot of recent bugs that arose from the use of C format strings, though, which readily expanded user inputted macros. Jeff
This archive was generated by hypermail 2b30 : Thu Jun 21 2001 - 20:34:41 PDT