Hacker Newsnew | comments | show | ask | jobs | submit login

Well, a unsafe parser (which was designed only for parsing trusted input) was being used by lots of people (including Rails) for parsing untrusted input as if it was a safe parser. You can debate about whether there should be a safe parser for YAML, but that's a separate issue.



Is "which was designed only for parsing trusted input" written anywhere in Psych doc? Psych is shipped with Ruby, is it written in Ruby doc maybe?

-----


Agreed, there should be a clear warning - in fact, the load method should be renamed unsafe_load. The root cause of this is probably unclear documentation and misunderstandings between the users and authors of psych.

-----




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: