Take a package which turns text into colored text. The interface to this package is a function from a string to a string. The worst thing this package should be capable of doing, even if fully rewritten by a remote attacker, is to either incorrectly change the contents of the string or to go into an infinite loop to lock up the process. The fact that every package has as much access to the system it’s installed on as the main application is a critical weakness of the programming language and environment. Until we use languages which bake in fine-grained permission controls these same attacks will keep happening.

#javascript #programming