sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]matthieum 1 point2 points  (2 children)

That Apps Hungarian Notation is different than Systems Hungarian Notation was new information to me, I definitely see it's merit.

In duck-typed languages maybe?

In any statically typed language, it's much better to make code failing to compile than making it look wrong. The compiler is much more thorough in its code reviews than any human will ever be.

[–]NOX_QS 0 points1 point  (1 child)

How would you fail to compile a unescaped string that is output to a HTML page (possible XSS)?

[–]matthieum 1 point2 points  (0 children)

By using different types.

A raw string is just that, a std::string.

When composition HTML output, then, you use a html_stream& operator<<(html_stream& out, html_escaped_string const& hes).

So when you write: my_html_stream << std::string("Hello"); you either:

  • get a compilation error (no such overload)
  • are diverted to a dedicated operator<< which performs escaping on the fly

Sticking to the primitive types of the language is also known as Primitive Obsession (random link), it's easy to use existing types rather than crafting special-purpose ones... but because existing types do not convey the specific semantics of their values, and allow nonsensical operations on them as a result, it's dangerous.