With the release of ClojureScript, I can use nothing but Clojure in my apps!
http://wagjo.blogspot.com/2011/07/one-syntax-to-rule-them-all.html
Clojure can run on top of JVM, CLR and Javascript VM. Clojure data
structures can replace syntax of SQL result sets, JSON, XML, HTML, CSS and
other
...and immediately a new attack vector is born with Clojure structure injection
attacks...
I so hope people don't start passing executable clojure back and forth.
On 23/07/2011, at 7:54 PM, Jozef Wagner wrote:
Clojure can run on top of JVM, CLR and Javascript VM. Clojure data structures
can
That's why *read-eval* should IMHO default to false. Anybody knows the
reason why it doesn't?
On Saturday, July 23, 2011 10:35:40 AM UTC+2, Mark Derricutt wrote:
...and immediately a new attack vector is born with Clojure structure
injection attacks...
I so hope people don't start passing
On Sat, 2011-07-23 at 03:03 -0700, Jozef Wagner wrote:
That's why *read-eval* should IMHO default to false. Anybody knows the
reason why it doesn't?
-1
On Saturday, July 23, 2011 10:35:40 AM UTC+2, Mark Derricutt wrote:
...and immediately a new attack vector is born with Clojure
The fact that Read and Eval are separate steps is fundamental here. The
ClojureScript reader does not eval, and the Clojure reader gives you the knobs
you need to do what you want.
Stu
...and immediately a new attack vector is born with Clojure structure
injection attacks...
I so hope
IMHO *read-eval* should ONLY ever be true -IF- you're using a REPL. Having
that on by default feels very insecure.
And whilst code is data, and would be great to pass around, thats awesome when
you're in a position to trust both ends of the system - but in the world of
browsers and javascript
...and the moment I hit send I remembered that in a language like clojure -
read/eval is the only way to get code in the running system, unless you're
using AOT classes and turning that off would be essentially turning off clojure.
On 24/07/2011, at 12:04 AM, Mark Derricutt wrote:
IMHO
We have been delivering our software AOT compiled for a more than a year
roughly.
We never disabled read-eval...
We are sending messages serialized in Clojure on our message bus in our next
release
instead of serializing with Yaml.
We do however encrypt it and most of that traffic is concealed