Hacker News new | past | comments | ask | show | jobs | submit login

Mr. dot is evil is the first thing we taught new engineers at Facebook during the security engineering on boarding.

There’s a whole slide deck (filled with real code snippets) with examples where a string was used instead of a better suited object representation and lead to a security flaw.

We eventually build xhp/jsx to get rid of strings-holding-html data, but that was just scratching the surface of bugs caused by user-supplied strings.




Mr. Dot as in the php stir concatenation operator?


That's my guess as well.

Speaking of "evil" broken abstractions...




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: