
4 Jun
2021
4 Jun
'21
10:41 p.m.
I think one fundamental problem is that you can’t detect programmatically if a string needs to be escaped or not.
For instance, the sequence & might be an already escaped & or it might be the text to tell you how to escape an ampersand and needs to be converted to &
Promoting sloppy coding by handling the most common cases is the way to it easier to create security vulnerabilities.
Maybe if escaped strings had a different type than unescaped strings, but then you need a bunch of different types for different rules for escaping.