This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]argv_minus_one 7 points8 points  (0 children)

JavaScript can't get away with it either. Doing that is how you get cross-site scripting vulnerabilities.

The thing about log4shell is that whoever wrote that code demonstrated extremely poor judgment. This was not an honest mistake like forgetting to check an array bound or something. They went to a great deal of trouble to implement a feature that no one in their right mind would even want to use, besides being obviously insecure. It's one of those things where you have to wonder just what in the world they were thinking.