On Fri, May 21, 2021 at 11:21 PM Craig Francis <cr...@craigfrancis.co.uk> wrote:
> [...] > > We need something that libraries will (in the future) be able to use to > protect themselves against these mistakes... by all programmers, especially > those who aren't using static analysis. > Hi, Not sure what kind of answer you expect... Are you suggesting to provide one or both of: 1. a way to forbid "dynamic" strings (or at least detect them)? 2. "safe" HTML, SQL and OS-command builder/generator/executor APIs (that would internally restrict/validate their "static" parts and quote/escape the dynamic parameters)? Regards, -- Guilliam Xavier
