| why isn't the default secure? if the default isn't secure we have learned time and time again that people will use the default unknowingly exposing themselves to security holes. Here's just a couple examples off the top of my head: - `$variables` in bash are subject to arbitrary code execution via word splitting without escaping - PHP register_globals - PHP, express, and some others parse `?a[b]="foo"` in a query string as an object, allowing for prototype pollution or other exploits - string concatenation for SQL + escape_string being the default for years - perl array expansion in function calls - XML entity inclusion on by default allowing you to read arbitrary files - log4j executing arbitrary code inside its logs - passing a variable to printf's first arg - no difference between escaped and unescaped tags in php - xargs splitting on whitespace - yaml allowing arbitrary code execution (it got rails good!) and there's probably loads more. |