[Lispweb] CL-TAINT and friends

[Richard Newman]

Alan,
   Looks very useful! NESTRING is very attractive; I expect almost  
everyone has a function hanging around to do that.

   Goes on my 'things to learn about recent Araneida changes' list.

-R

On 23 Dec 2005, at 15:25, Alan Shields wrote:

> Hello everyone,
>
> Recently, while writing a web app, I wanted to keep the web app from
> trusting the user. Actually, that's not exactly it: I kept noticing
> myself parsing the user input over and over and over again in a  
> certain
> way.
>
> I doubt I'm the only one.
>
> So, I extended the small system I wrote for tainting values for
> Araneida with a declarative construct that I think you might like/be
> intersted in. Keep in mind that while Araneida integrates this, the  
> code
> is entirely separate (darcs repo at the end).
>
> Let's say that you're receiving GET parameters X, Y, and Z. They  
> should
> all be integers or NIL.
>
> (with-detaint ((integer x y z))
>    (format nil "x: ~S y: ~S z: ~S" x y z))
>
> Does pretty much what you're looking for.
>
> (with-detaint (((or integer 0) x y z))
>    (format nil "x: ~S y: ~S z: ~S" x y z))
>
> If there's no integer, it returns 0.
>
> Here's another common one: S should be a string, but if it's empty it
> should be NIL.
>
> (with-detaint ((nestring s))
>    (format nil "s: ~S" s))
>
> And there you are.
>
> There's a lot more to the library than that (symbols, pass through
> filters, matchers, etc), and there's more to come.
>
> I'd appreciate any input (besides "hook in regexps", which I already
> plan to do), and keep in mind this is only the product of about 8  
> hours
> work.
>
> Enjoy,
> Alan Shields
>
> darcs repo: http://code.microarray.omrf.org/darcs/cl-taint/
> docs: http://code.microarray.omrf.org/darcs/cl-taint/taint-doc.html
>
> Araneida testing has this integrated already.
>
> _______________________________________________
> lispweb mailing list
> lispweb at red-bean.com
> http://www.red-bean.com/mailman/listinfo/lispweb