https://htmx.org logo
Join Discord
Powered by
# htmx-general
  • h
    > Fresh takes care of automatically re-hydrating the island on the client if it encounters its use in a route's template.
  • m
    betrayed
  • m
    by my own maintainer
  • t
    You will drink the water and you will like it
  • h
    you can lead a maintainer to water but you can't make them drink
  • g
    I don’t know what this means but I want it in my code now.
  • m
  • e
    haha, bad things happen if you mix table and non-table oob responses in the same ws message https://github.com/bigskysoftware/htmx/blob/4203822aa5e50cfbdfdde4aa00a61340e8ad6e24/src/htmx.js#L260-L285
  • e
    I guess the only possible response to that is "don't do that"?
  • t
    Pretty much. Working with tables is a mess at the best of times. I still do it because people like to copy/paste things into excel, but it's a pain.
  • e
    'bout to try the useTemplateFragments option, maybe that will work
  • t
    Basically, you just need to make sure the html you return is actually fully valid html
  • t
    Or use templatefragments, yes
  • e
    feels like a change I'd have to do a pretty broad sanity-check after, unfortunately
  • e
    eh, useTemplateFragments doesn't appear to help
  • e
    The real fix for me was to just ensure every tip-level oob element goes in its own ws payload
  • e
    I don't see any scenario where the browser would be happy with parsing what looks to it a jumble of non-conforming html
  • c
    I mentioned this before, but I think it would be nice for htmx to have some way/boundary for developers to explicitly whitelist which sources that it swaps/oob swaps from... again I'm not a security guy but something keeps worrying me.
  • r
    Neither am I, but I believe this be achieved with CORS and CSP. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src this should limit sources from which sources data can be loaded onto your page, https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS this controls which pages can load data from your server, and also this https://htmx.org/docs/#security and this https://hyperscript.org/docs/#security for good measure
  • c
    anyway I'm sure at some point the project will get a more thorough assessment from more security-focused peeps... hopefully before 14k stars
  • g
    Wouldn’t that only be an issue if you let users update where you 
    hx-get
    (et all) from? Seems like 
    hx-get
    -info from an undetermined URL is going to be a security hole no matter what you do.
  • w
    @gorgeous-ghost-95789 I was going to reply similarly. If these outside devs have access to the server that htmx is requesting content from, then it's not actually an HTMX concern, right?
  • h
    There's an XSS consideration if you allow users to add richtext
  • h
    potentially someone could put hx-post="badsite" into their content and if you display that unsanitized that could be bad
  • r
    Also can be 
    javascript:
    or 
    js:
  • r
    Any user content really must be surrounded in 
    hx-disable
    see:
  • r
    also if you're letting users generate links at all, you need to filter out 
    javascript:
    js:
    data:
    vbscript:
    file:
  • r
    also you must tokenize multi characters targets to prevent recursion attacks aka replace those strings with a placeholder like 
    .
    not just remove. Example: 
    javascriptjavascript::alert('yo')
    becomes 
    javascript:alert('yo')
    = Ruh roh.
  • r
    Anyways thanks for coming to my security ted talk
  • r
    Copy code
    python
output = output.lower()
for target in ['javascript:','js:','vbscript:','data:','file:']:
    output = output.replace(target, '.')
    That's what you want, basically, on the backend.
1...727728729...1146Latest