|
|
|
|
|
|
by dos1
4880 days ago
|
|
|
Wouldn't whitelisting conforming input be a better approach? I realize it may be more difficult, but wouldn't that be more secure? Edit: I'm genuinely interested - I always try and whitelist things when I'm building software. Although I have next to no background when it comes to security in particular. |
|
|
Whitelisting is what the rubygems folks are doing to work around this problem until a better implementation is put in-place in the YAML parser.
Generally, it is a better solution but it is more difficult and can break a lot of dependencies if not implemented correctly.