Phone doesn't work with safe_yaml

[konklone]

Loading YAML without extra Ruby-specific processing, which is now a best practice following the wave of security vulnerabilities earlier this year, means that the phone gem's YAML data is broken, because it uses symbol keys.

So when using safe_yaml, for example, this causes the symbol keys to be read as string keys, yielding validation errors on valid phone numbers.

[Xylakant]

This repo seems unmaintained. However, you are mistaken: Loading YAML without extra Ruby-specific processing is best practice for untrusted data, for example for input from clients. Your own config files or data your app serialized to storage can be regarded as trusted and can certainly use any ruby specific processing.

[konklone]

Sure, but in practice, the safest way guarantee that my code, and the code of all the libraries I depend on, is using trusted YAML is to use a blunt instrument like monkeypatching YAML. This is what safe_yaml does.

phone is a small gem, and I can pretty easily see what it's doing with its YAML. But I can't inspect all the gems I depend on, and all of their dependencies. The only YAML I'll consider trusted input is YAML that I wrote in my own application code. Library code, unless it's using Ruby-specific processing for a specific reason (not just cause symbol keys are/were conventional), should take a vanilla approach to YAML that doesn't require I extend it my trust.

[elskwid]

I'm going to be making a pass through issues soon. See #41.