Hacker News new | past | comments | ask | show | jobs | submit login

For React Native, at least, I think the threat model is a little different. Browsers have to deal with any hostile webpage, so all input can be considered hostile to something like the layout engine -- but here, you're baking the application along with the engine and shipping it wholesale. But I guess it depends on the details of how Yoga actually integrates and what its surface area actually is.

That said, I think the more likely conclusion for security vulnerabilities is the one you allude to, where people will probably end up reusing this component elsewhere and exposing the engine to potentially hostile input somewhere along the line, and it might not end well.

Right, it's not an issue with React Native. My concern is that people will end up using this in browser-like settings with untrusted content. Do they adequately guard against stack overflow with deeply nested layouts, for example?

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact