[bonoboTP]

> Every consumer of its data should be sanitizing its inputs before rendering them wherever they are using it.

This is not how the real world runs though. In the real world (outside the bubble of programmers) things are messy and a lot of stuff barely works, many people are incompetent etc.

Said otherwise, it's defense in depth.

"Should" doesn't factor in. You can't make everyone competent at the wave of a magic wand. But you can control what company names are allowed. You can't control how they will be parsed. There is one law about company names, but a myriad systems that may parse them.

This is a huge blindspot of programmers.

[wruza]

It always barely works as much as you allow it to. Lower the bar even more and it will start barely working at it again.

This koolaid with protecting real world only helps perception (“I made it work now with this simple rule”), cause moving the bar down relaxes issues a bit and they don’t instantly accumulate at the new level.

It doesn’t matter where the bar is, they will always find enough competence and budget to follow it in a moment. You just have to hard-break what half-works in advance.

You can't make everyone competent at the wave of a magic wand

You can make their incompetence fail by adding random honeypots like someone suggested above. That would be a smart move. Your “out of bubble” move is just an instant gratification button.

[lyu07282]

Whenever I see a python-requests user-agent I sometimes keep the connection open indefinitely without responding, to see if the developer was incompetent and forgot to set a timeout. Responding to other certain clients with 'Location: file:///dev/urandom' is also mildly entertaining.

My point would be, I'm not sure if this wouldn't be too damaging to the mental health of programmers if everyone was doing shit like that.