Comments by "xybersurfer" (@xybersurfer) on "HTMX IS INSECURE (XSS) | Prime News" video.

  1. that's not all. HTMX assumes your front-end is HTML. if you want to add a different front-end in the future, then you are gonna have a hell of a time time getting rid of the HTMX, and turning it into something sane and neutral, which it should have been from the start
    3
  2. yes. and more specifically: sanitization should only be done when rendering HTML. you should not be HTML encoding data before inserting it into the database
    1
  3.  @darylphuah  no. the front-end and back-end normally have different types of "injections" to be concerned with. the back-end is not concerned with how the front-end represents it's data. there may be multiple types of front-end connected to the same back-end and maybe not all those front-ends are using HTML
    1
  4. ​ @darylphuah  i did not say that a back-end serving HTML is invalid. if SSRs serve HTML, then how valid is it as a back-end when not all front-ends use HTML? that's the scenario i presented. i did not deny that there can be trusted data sources. your assumption seems to be that HTML front-ends can't share code. i don't agree with this.
    1
  5. sanitization is a confusing term. in a normal situation the front-end and back-end have different concerns. back-end typically the back-end wants to avoid taking user input and directly executing it on the database, as that could cause an SQL injection. the back-end also validates whether data and actions are according to the rules. front-end typically the front-end wants to avoid taking data from the back-end and directly inserting it into the HTML, as that could cause XSS. validation on the front-end never replaces that on the back-end. it can merely improve the user experience or offload the back-end slightly, because front-end validation causes the back-end to get hit with less obviously invalid requests. sanitization some suggesting that the front-end should HTML encode the user input before sending it to the back-end are wrong, because that pollutes the database data with a front-end concern. front-ends change and there may be other front-ends connected to the same back-end, that are not HTML based. HTMX that's also why HTMX is junk. HTMX is tight coupling, because it forces the front-end to be HTML based. it's not insecure, but it's just a bad design. come on guys. we know better!
    1
  6.  @Jabberwockybird  i don't understand your (rhetorical?) question. are you saying that HTML does not belong in the front-end? can you express your point directly?
    1
  7.  @Jabberwockybird  oh. of course, i'm not against HTML in the front-end. i'm against the back-end assuming that the front-end uses HTML. Mobile Apps and Desktop Applications are examples of front-ends that don't necessarily use HTML. same goes for Third Parties that connect to your back-end, and just want the data
    1
  8. you shouldn't be HTML encoding data, before sending it to the back-end. it pollutes your database. it should only be HTML encoded at the moment it is shown on an HTML web page
    1
  9. ​ @shaunkeys7887  if you don't know what the intent is, then why are you suggesting HTML encoding what goes to the back-end?
    1