Confusing code example in Section 5: Untrusted Code

[angelikatyborska]

In Section 5: Untrusted Code there's this example that is suggested to be insecure:

name = Kino.Input.text("What's your name?")

textfield_value = Kino.Input.read(name)
{result, binding} = Code.eval_string("a", a: textfield_value)
"Hello, " <> result

We did this security training at my small team at work and none of us could figure out how to choose an input that would prove that this code is insecure. See screenshot for example. Is it possible that this example is not correct? Was it supposed to say Code.eval_string(textfield_value) instead? That would definitely be insecure.

[houllette]

Oh goodness! Thank you for calling this out. In a mad dash to get content added I must've slipped in the more secure solution into the example - we will get this addressed in our next release 😄