[headius]

You mean JRuby and Rubinius, but yes...it's as flawed as every other blacklisting security mechanism. We mostly don't implement it because, well, "here, add these security checks and tainting propagation to EVERY METHOD IN THE SYSTEM and if you don't do it right, you're totally effed." Sounds great.

[pacala]

You add tainting propagation to every method in the system that handles tainted user input. Hopefully, this will encourage you to untaint the user input ASAP and build native objects out of it. Now, of course, if you take untainted strings and feed them into reflection/eval you are in a world of hurt, but perhaps you should stop using reflection/eval.