I vote for strict validation also. It's a security threat on most applications not to strictly validate inputs and outputs. I would rather Clojure defaults to be secure, and people needing to implement their own less strict validation consciously. I'm afraid a lot of people will rely on spec for their validation, and not think of this, opening themselves to new attack vectors.
Here's two example: 1) You accidentally put extra sensitive data on maps that end up persisted unencrypted. If spec doesn't fail a map validation if it contains extra keys, this is easy to mistakenly have happen. 2) You mistype the spec of a key, and inadvertly now don't validate a user input field, allowing it to pass validation undetected. You're now opened to code injection attacks. Or at least include in core a strict spec, like s/keys and s/keys-strict. I know personally, I'll need the strict variant in 100% of my use cases, as I work on backend services. -- You received this message because you are subscribed to the Google Groups "Clojure" group. To post to this group, send email to clojure@googlegroups.com Note that posts from new members are moderated - please be patient with your first post. To unsubscribe from this group, send email to clojure+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/clojure?hl=en --- You received this message because you are subscribed to the Google Groups "Clojure" group. To unsubscribe from this group and stop receiving emails from it, send an email to clojure+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
