[TLUG]: ECMAScript ("Javascript") Version 4 - FALSE ALARM
Mark Miller
erights at gmail.com
Sun Oct 28 18:00:44 PDT 2007
On 10/28/07, Robert Sayre <sayrer at gmail.com> wrote:
> It's not all disagreement, though. One aspect of Google Caja seems
> preferable to me: the JSON object. In fact, I would like the committee
> to drop the JSON methods on the object prototype in favor of letting
> host environments provide that API.
I agree. Let's also not add .toJSONString() and .fromJSONString() to
the language.
.toJSONString() creates quoting confusions that can lead to XSS-like
vulnerabilities
<http://google-caja.googlecode.com/svn/trunk/src/js/com/google/caja/JSON.js>.
.fromJSONString() is inappropriate as a method of String. A String can
represent source text of any of a large variety of languages. Each
language should know how to parse Strings. Strings should not know how
to be parsed in any particular language. We should follow the object
design principle that Rebecca Wirfs-Brock calls "responsibility based
design".
However, Rebecca is related to the evil Allan of Microsoft, so perhaps
responsibility based design is part of some evil corporate plot? Or
maybe we should evaluate the logic of what people are saying
independent of their corporate affiliation?
--
Text by me above is hereby placed in the public domain
Cheers,
--MarkM
More information about the Es4-discuss
mailing list