Hacker News new | ask | show | jobs
by __david__ 3724 days ago
Sure, but most language YAML parsers support all or most of the spec. That can be a problem if you aren't expecting it.
1 comments
alanh 3724 days ago
I believe it has even created security issues. Didn’t Rails have at least one YAML-based vuln?
link
rurban 3722 days ago
You need to restrict YAML to SecureLoad, with manually adding allowed typed and classes.

At least perl doesn't support this, so it's inherently insecure there, but you can always use YAML::Syck which didn't go this way.

link