Today I LearnedRSS

March 2026

2026-03-12
Stop Telling People To Sanitize User Input

Signal boosting this. Always manage user data transforms for safe encoding on output, never input. Your input code shouldn't know how the data's going to be used. Maybe it'll be put in an email, maybe it's going on a webpage, maybe you're printing it. Each of those have very different sanitization requirements. Your input code should not be trying to account for all the different ways it'll be displayed.

Data given to the system should be treated like your handling explosives. There are ways to safely move it, ways to safely store it, but you don't go messing with it prematurely. Definitely don't trust, touch, look, or lick it unless you absolutely have to.

2026-03-11
Dynamicland

I know I missed posting my usual Lecture Friday, so I come bearing great gifts. Today I was reading Dave Gauer's book review on The Art of Doing Science and Engineering, and he opened by talking about Bret Victor's forward and noted that his site has an amazing collection of all the best research papers in computing. Upon reading that I wondered, "Huh, what's Bret up to these days." I then proceeded to fall head first into Dynamicland. I'm still not sure what to make of it all but I'm really excited by everything I'm seeing.

So what can I say except, "You're welcome?"