IMHO *read-eval* should ONLY ever be true -IF- you're using a REPL. Having that on by default feels very insecure.
And whilst code is data, and would be great to pass around, thats awesome when you're in a position to trust both ends of the system - but in the world of browsers and javascript consoles given you easy areas of exploitation, it doesn't matter that eval is disabled on the client when you can just send code to the server... On 23/07/2011, at 11:34 PM, daly wrote: > If you don't want your application to execute code then set > *read-eval* to false, defn eval to do nothing, write a custom > reader (e.g. a JSON reader) that you invoke, stomp on the > # reader dispatch by writing a dispatch-reader-macro, etc. -- You received this message because you are subscribed to the Google Groups "Clojure" group. To post to this group, send email to clojure@googlegroups.com Note that posts from new members are moderated - please be patient with your first post. To unsubscribe from this group, send email to clojure+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/clojure?hl=en
