alt Hacker NewsYeah, I was expecting something closer to "because that's what people Google for".
A big part of designing a security-related API is making it really easy and obvious to do the secure thing, and hide the insecure stuff behind a giant "here be dragons" sign. You want people to accidentally do the right thing, so you call your secure and insecure functions "setHTML" and "setUnsafeHTML" instead of "setSanitizedHTML" and "setHTML".
Replies
cess11 • last Wednesday at 6:47 PM
get_magic_quotes_gpc() and mysql_real_escape_string() had quite a bit to teach in this area.
➕ show 1 reply
100%… it’s like Rust’s “unsafe” package, or Rust reqwest package naming things like danger_accept_invalid_certs(true) and danger_accept_invalid_hostnames(true) → https://docs.rs/reqwest/latest/reqwest/struct.ClientBuilder....