On 30/06/2009, at 9:42 PM, Aryeh Gregor wrote: > On Tue, Jun 30, 2009 at 4:25 PM, Brion Vibber<[email protected]> > wrote: >> IMO by the time you've implemented your whitelisting parser you >> might as >> well just interpret it rather than eval()ing. > > I don't think so. You'd only have to do the whitelisting once, on > page save. After that you could just execute with no extra overhead.
That's just scary. We'd definitely want to do the validation as close as possible to the actual eval()ing, to minimise backdoors like Special:Import et al. -- Andrew Garrett Contract Developer, Wikimedia Foundation [email protected] http://werdn.us _______________________________________________ Wikitech-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-l
