Basically, every time the subject "correctness" comes up. Every. Single. Time. Damn, no wonder we have bugs everywhere.

gistfile1.html

<dmanderson> Oh Domo :)
<dmanderson> Nice templater
<Sorella> Oh.
<dmanderson> I've been using an underscore to JST compiler as of late, but
             this looks really nice.
<Sorella> I don't quite like Domo, but sure.
<Sorella> Oh Lord, don't use Underscore's templating. Like,
          really. Don't. Just. Don't.
<dmanderson> No I'm using JST
<dmanderson> writing the templates in underscore
<thomaslindstr_m> Sorella: what's wrong with it?  [12:08]
<Sorella> dmanderson: never heard of JST.
<Sorella> thomaslindstr_m: I basically wrote a huge giant post about all the
          security issues that arise from using such forms of templating:
          http://killdream.github.io/2013/09/22/the-importance-of-being-typed.html
                                                                        [12:09]
<dmanderson> https://code.google.com/p/trimpath/wiki/JavaScriptTemplates
<Sorella> dmanderson: ah, yeah, JST would also fall on the "don't use this for
          the love of the Lord"
<thomaslindstr_m> Sorella: so it's good unless you are stupid
<Sorella> thomaslindstr_m: all people are stupid, so it's not good :P
<Sorella> thomaslindstr_m: there are much better alternatives. The ones I've
          linked above are all good alternatives.
<Sorella> thomaslindstr_m: which will make it fairly difficult to shoot
          yourself on the foot and get thousands of XSS security issues
<Sorella> Not to mention the "it wasn't this that I meant stupid templating
          engine" bugs
<thomaslindstr_m> but the issues aren't the templating engines themselves
<Sorella> thomaslindstr_m: it is, just read my blog post.
<thomaslindstr_m> i am reading as we speak
<Sorella> thomaslindstr_m: their fundamental model is fundamentally
          wrong. They use strings.
<Sorella> You should never use strings. Strings should be the least use-able
          type in all realms of programming
<dmanderson> Is this server side focused?
<Sorella> dmanderson: all-platforms focused.  [12:13]
<Sorella> There's no distinction between server-side and client-side.
<dmanderson> Then why convolute your article with SQL
<dmanderson> just sayin'
<Sorella> dmanderson: it's all related.
<Sorella> dmanderson: SQL injections, shell injections, XSS attacks. All
          related, all arising from using the wrong tools.
<Sorella> dmanderson: all arising from using strings.
<thomaslindstr_m> Sorella: i get what you're trying to say, but you shed light
                 on users being stupid, not the templating engines
                 themselves. i see why they "may condone bad behavior" and
                 what not, but that doesn't render those templating engines
                 completely useless if you do it right - does it?
<Sorella> thomaslindstr_m: why would you use something that is ridden with
          bugs when you can use something that has absolutely no way of going
          wrong?
<thomaslindstr_m> i know what it does and i know what it does not
<dmanderson> I think that compounds with my confusion on mixing client side
             and server side templaing int he same article. The SQL really
             doesn't have bearing on this. One would hope you are sanitizing
             and checking inputs for attack. If you don't know what you are
             doing use a NO OPS data store like Database.com which does all
             that for you.
<thomaslindstr_m> yes
<dmanderson> I can totally get this from a server side thing
<dmanderson> and I think the article is well written for that
<dmanderson> eval is evil of course
<Sorella> dmanderson: you should *NEVER* have to sanitise your inputs. This
          whole "sanitise your inputs" is bullshit.
<dmanderson> You should never have to lock the door to your house either
<Sorella> dmanderson: it's the job of the library to comply with the rules of
          the underlying representation, not yours
<dmanderson> that whole securing your personal belongings from society really
             sucks
<thomaslindstr_m> you put too much pressure on the libraries  [12:20]
<Sorella> thomaslindstr_m: is asking for libraries to work correctly putting
          too much pressure on them? WHOA
<thomaslindstr_m> correctly is a relative word
<pogrindis> Sorella its flexible
<dmanderson> Better watch out, your getting close to framework evangelism
<dmanderson> :D
<pogrindis> and moreso a matter of preference
<Sorella> thomaslindstr_m: let me put it this way: you gain nothing from not
          making something work correctly in the first place, and you have
          *less* work to make it behave correctly than it does not.  [12:21]
<Sorella> thomaslindstr_m: both from a user-perspective and a library
          developer perspective.
<Sorella> thomaslindstr_m: the problem here is just that people are still
          clinging to the PERL origins, nothing else.
<pogrindis> O_o  [12:22]
<thomaslindstr_m> i guess what i'm trying to say is i don't understand why you
                 hate the templating languages for not telling you you're
                 doing it wrong
<thomaslindstr_m> templating enginges*
<thomaslindstr_m> one of your examples is not closing a tag and how that
                 screws up the engine
<thomaslindstr_m> but that's your fault
<Sorella> thomaslindstr_m: say you do this: `b = a + 1`, a is a pointer, b is
          now garbage. Wouldn't you want your language to tell you you're not
          getting something meaningful out of this expression?  [12:23]
<Sorella> Languages and libraries *should* enforce correctness. They should
          define boundaries on what is and what isn't possible. This is
          paramount to modularity.
<Sorella> (and less bugs, of course)
<Sorella> thomaslindstr_m: you understestimate the sheer number of complex
          rules a programmer needs to *unecessarily* keep at their heads when
          coding. Let the computer do that job for you. You lose nothing. The
          library author lose nothing. Your users gain correctness, safety and
          performance.  [12:25]
<Sorella> (the downside, you can't say "don't interrupt me" anymore because
          now you don't need to keep the whole system in your head at any
          given time)
<Sorella> Oh wait, that's not a downside :P
<Sorella> thomaslindstr_m: dmanderson: at any rate, I recommend watching this
          talk: http://www.youtube.com/watch?v=TS1lpKBMkgg and this talk:
          http://www.youtube.com/watch?v=fYjO5pIY1mY  [12:26]
<dmanderson> thanks for the links Sorella
<thomaslindstr_m> i don't keep sensitive data client side, nor do i do
                 sensitive operations client side. never.
<Sorella> thomaslindstr_m: ugh, it's not about "X context" or "Y context",
          y'know. You should expand your mind, and analyse the big picture.
<Sorella> thomaslindstr_m: this is something that happens *everywhere*, and
          it's *entirely *OUR* fault*
<dmanderson> Sorella are you vegan?!
<Sorella> thomaslindstr_m: would you like if a doctor suddenly went all: "Oh,
          why use the proper procedures? I'll just open this guy with a
          chainsaw and get done with it fast."
<dmanderson> ;-)
<dmanderson> j/k
<thomaslindstr_m> i'm trying, but i have trouble relating to the issues
                 presented in your article
<Sorella> dmanderson: nope.
<dmanderson> These are some good topics  [12:29]
<dmanderson> Really appreciate the videos.
<Sorella> thomaslindstr_m: the issue is basically: "We suck." which can be
          understood as "We really should start valuing correctness, and stop
          putting the pressure of correctness on the programmer. Computers are
          much better at this, why are we not using them?"