Hacker News new | past | comments | ask | show | jobs | submit login

And not including eval and base64_encode would be ridiculous. No programming language is at all difficult to do nasty things with if you decide it's a good idea to include random untrusted code snippets.



Sandboxing would be helpful. Java-like or Lua-like.


Java-style sandboxing prevents all run code from having access to anything important on the filesystem (&c) which a) wouldn't really work for a server-run application and b) wouldn't at all prevent the type of nasty that shows up in those WP themes.

I'm not terribly familiar with Lua sandboxing, but a cursory overview suggests that absolutely nothing would prevent it from including similar nastiness if used in display code.

In any case, something like a website theme in any language, can always display HTML that is at least that hidden. So sure, kill base64_decode in php, but as long as you have a Turing-complete language which is at least moderately inevitable if you allow any logic in your templating system at all and you can implement the equivalent trivially.

If you completely neuter your templating system, then do something like include inline base 64 in CSS as image data, decode & exec using JS. Google's spiders will run JS now, unless I'm mistaken, so that's just as good from an SEO standpoint.


You're right, I retract the point.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: