One syntax to rule them all

2011-07-23 Thread Jozef Wagner
With the release of ClojureScript, I can use nothing but Clojure in my apps! http://wagjo.blogspot.com/2011/07/one-syntax-to-rule-them-all.html Clojure can run on top of JVM, CLR and Javascript VM. Clojure data structures can replace syntax of SQL result sets, JSON, XML, HTML, CSS and other

Re: One syntax to rule them all

2011-07-23 Thread Mark Derricutt
...and immediately a new attack vector is born with Clojure structure injection attacks... I so hope people don't start passing executable clojure back and forth. On 23/07/2011, at 7:54 PM, Jozef Wagner wrote: Clojure can run on top of JVM, CLR and Javascript VM. Clojure data structures can

Re: One syntax to rule them all

2011-07-23 Thread Jozef Wagner
That's why *read-eval* should IMHO default to false. Anybody knows the reason why it doesn't? On Saturday, July 23, 2011 10:35:40 AM UTC+2, Mark Derricutt wrote: ...and immediately a new attack vector is born with Clojure structure injection attacks... I so hope people don't start passing

Re: One syntax to rule them all

2011-07-23 Thread daly
On Sat, 2011-07-23 at 03:03 -0700, Jozef Wagner wrote: That's why *read-eval* should IMHO default to false. Anybody knows the reason why it doesn't? -1 On Saturday, July 23, 2011 10:35:40 AM UTC+2, Mark Derricutt wrote: ...and immediately a new attack vector is born with Clojure

Re: One syntax to rule them all

2011-07-23 Thread Stuart Halloway
The fact that Read and Eval are separate steps is fundamental here. The ClojureScript reader does not eval, and the Clojure reader gives you the knobs you need to do what you want. Stu ...and immediately a new attack vector is born with Clojure structure injection attacks... I so hope

Re: One syntax to rule them all

2011-07-23 Thread Mark Derricutt
IMHO *read-eval* should ONLY ever be true -IF- you're using a REPL. Having that on by default feels very insecure. And whilst code is data, and would be great to pass around, thats awesome when you're in a position to trust both ends of the system - but in the world of browsers and javascript

Re: One syntax to rule them all

2011-07-23 Thread Mark Derricutt
...and the moment I hit send I remembered that in a language like clojure - read/eval is the only way to get code in the running system, unless you're using AOT classes and turning that off would be essentially turning off clojure. On 24/07/2011, at 12:04 AM, Mark Derricutt wrote: IMHO

Re: One syntax to rule them all

2011-07-23 Thread Luc Prefontaine
We have been delivering our software AOT compiled for a more than a year roughly. We never disabled read-eval... We are sending messages serialized in Clojure on our message bus in our next release instead of serializing with Yaml. We do however encrypt it and most of that traffic is concealed