<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div><blockquote type="cite" class=""><div class="">On Apr 9, 2017, at 8:46 PM, FĂ©lix Cloutier <<a href="mailto:felixcca@yahoo.ca" class="">felixcca@yahoo.ca</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><span style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: inline !important;" class="">For XML, I know that you have this XMLString idea, but I think that it would be very complex to implement in practice. XML has several different contexts in which escaping has to be different. For instance, you shouldn't escape the same things in an attribute value as in a comment, or in an XML text node, or in a CDATA node, and that means that you have to be aware of what you're looking for at the point where interpolation happens. It's also possible to come up with uncheckable/incorrect cases (like `<foo \(bar)>`), meaning that it either has to accept anything in some cases or be failable (and besides, "just remove :XMLString and it works!").</span></div></blockquote></div><div class=""><br class=""></div><div class="">It is complex, and yet Rails has done this kind of thing pretty successfully (in a different, dynamic-language-y way) for about eight years: <<a href="https://github.com/rails/rails/blob/master/activesupport/lib/active_support/core_ext/string/output_safety.rb" class="">https://github.com/rails/rails/blob/master/activesupport/lib/active_support/core_ext/string/output_safety.rb</a>></div><div class=""><br class=""></div><div class="">You just have to scale back your ambitions slightly. Your goal is not to somehow, through the type system, prevent the construction of an invalid string. Your goal is to ensure that interpolated content is, by default, escaped enough to prevent injection attacks. Developers can still make escaping mistakes, but those mistakes will err on the side of escaping too much instead of too little. You can't prevent failure entirely, but you can fail secure instead of failing insecure.</div><div class=""><br class=""></div><div class="">
<span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><div class=""><div style="font-size: 12px; " class="">-- </div><div style="font-size: 12px; " class="">Brent Royal-Gordon</div><div style="font-size: 12px; " class="">Architechies</div></div></span>
</div>
<br class=""></body></html>