[erlang-questions] Two beautiful programs - or web programming made easy

Frédéric Trottier-Hébert fred.hebert@REDACTED
Sun Feb 13 19:59:19 CET 2011

On 2011-02-12, at 06:33 AM, Joe Armstrong wrote:

> The Javascript equivalent is:
>   function onMessage(evt) {
>      eval(evt.data);
>   }
> Where the data comes from a websocket.
This is rather risky. Eval will take any code whatsoever and run it for you. If you have dynamic content, without proper escaping and being very careful, users could run arbitrary code in your page, including stuff to steal session data and send it over to either some other site, or perform actions for the user which they do not necessarily approve on (making their profile public, closing their account, worms, etc.)

In fact, this is a reason why people like Douglas Crockford prefered to write JSON parsers rather than just evaluating them. It's just not safe enough.

Plus you have to call the javascript parser and whatnot, which is usually rather slow. The whole idea is pretty bad on the web, where you have to assume that people will actively try to break your stuff and steal data from other users (or you).

> This technique is amazingly powerful.
> So now I only need one generic web page. Think of that.
> Only one page is needed - forever.
This is a problem when it comes to bookmarks, sharing the link with a friend, searchability, browser history, etc. The web wasn't exactly intended to be a stateful thing and you'll have to resort to hacks such as hash-bangs to get around it. I suggest reading  Tim Bray's Broken Links to see why that isn't a good solution anyway.

Plus I'd argue that javascript and Erlang should be kept separate and you shouldn't try to generate one with the other, but at this point, I figure it's more of a matter of who wants to give himself the trouble than anything.

Fred Hébert

More information about the erlang-questions mailing list