undefined | Better HN

0 pointsmatthewmacleod10y ago0 comments

Calm down a bit! The implication I take from the person you are responding to is not that the vulnerabilities don't matter, but that it's useful to reflect on them and make sure that you are always programming defensively.

0 comments

Someone123410y ago

They went through most of the issues and shifted blame for the issue from Rails to the developer/user.

"Hopefully you didn't have this weird name in your routes."

"Stripping tags isn't the best way anyway to filter XSS, so if you're encoding, you're good."

"is negligence, you should not be doing that anyway"

"is not defensive programming, so you should not be doing that too"

It isn't "reflecting" it is blame shifting. And there's a huge difference between defensive programming and being psychic, in this case it is more the latter, as even features like the sanitiser we should have known better than to use as the docs tell us to.

toolz10y ago

Stop making this about ego. The person was helping developers secure their apps and you're trying to make this about who is wrong. Making sure someone feels bad in the open source community won't make anything better.

phamilton10y ago

MINASWAN

https://en.wikipedia.org/wiki/MINASWAN

j / k navigate · click thread line to collapse