Except that using validation at all in this case is a mistake, especially writin... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		blasdel on Aug 26, 2009 \| parent \| context \| favorite \| on: Massive Twitter Cross-Site Scripting Vulnerability Except that using validation at all in this case is a mistake, especially writing it yourself for a narrow case, much less using regexes to do it. Escaping, damnit.

al3x on Aug 26, 2009 [–]

Yes, I agree. That's why we've tried to assist Rails Core in reviewing a more comprehensive string tainting model. I've said for some time now that security needs to be institutionalized in frameworks in order for developers to be unable to make stupid mistakes like this one.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact