You also probably have a much better idea of where the unsafe boundaries in your application are. Letting the models know this information up front has given me a dozen or so legitimate vulnerabilities in the application I work on. And the signal to noise ratio is generally pretty good. Certainly orders of magnitude better than the terrible dependabot alerts I have to dismiss every day
How would you change the Type System to fix this particular issue?
>> Don’t pass bare functions if you don’t know what the parameters are.
> This is exactly the kind of thing I want my programming language's type system to catch for me, if I'm working in a language with a static type system like TS.
Hows your compiler supposed to know you don't know what the parameters are?
> How would you change the Type System to fix this particular issue?
In TS you really can't (that's my point and why I prefer to avoid the language) because of JS and API baggage. But just about every other static language that I've worked in can complain for this kind of thing.
> Hows your compiler supposed to know you don't know what the parameters are?
Why does the compiler care about what I know? The compiler itself knows what the function's parameters are and it can tell me that something seems wrong because I'm asking it to call a function that maxes out at 2 parameters with 3 parameters.
TS does catch this kind of thing in a lot of places. It just intentionally decides not to do it for these kinds of callbacks because of the same JS and API baggage.
>if we could remove the human element and replace it with infallible decision making AI would it improve sport?
Probably for some sports and for some elements of other sports. I've thought about this in regards to an umpire's strike zone in baseball. If the strike zone were the same every single time, this might tip the scales in one direction (probably batters). Let's say it advantaged offense even moreso, do higher scoring games make better sport, or are they more enjoyable to watch?
I dont know, but personally I've always enjoyed the slightly random element of the strike zone.
The fact that it's also called when its added to the stack for display. OP should definitely still sanitize on the server, but it's not as bad as it sounds at first glance.
As an exercise I'd love it someone actually posted a payload to exploit that regex.
