Add htmx security essay #2280
Add htmx security essay #2280
Conversation
|
Just skimming the text, looks great to me. | Ruby | ERB | Yes, with `<%= %>` | |
|
I meant "useful" actually, thanks for the catch, and for reading! I'll add the Ruby templates, I'm kinda surprised I didn't have them already |
alexpetros
force-pushed
the
security-essay
branch
from
11c811b
to
6f034c2
Compare
|
|
||
| We make these simplifying assumptions in order to target the widest possible audience, without including distracting information—obviously this can't catch everyone. No security guide is perfectly comprehensive. If you feel there's a mistake, or an obvious gotcha that we should have mentioned, please reach out and we'll update it. | ||
|
|
||
| ## The Golden Rules |
There was a problem hiding this comment.
Consistency–some of the headings are in 'Sentence case' while others are in 'Capitalized Case'. Do we want to have them all be in the same style?
There was a problem hiding this comment.
Yup, I'll fix that
There was a problem hiding this comment.
Went with sentence-case, except on this one specifically where I'm using Golden Rules like a proper noun.
|
|
||
| The reason for this is simple: htmx inserts the response from that route directly into the user's page. If the response has a malicious `<script>` inside it, that script can steal the user's data. When you don't control the route, you cannot guarantee that whoever does control the route won't add a malicious script. | ||
|
|
||
| Fortunately, this is a very easy rule to follow. Hypermedia APIs (i.e. HTML) are [specific to the layout of your application](https://htmx.org/essays/hypermedia-apis-vs-data-apis/), so there is almost never any reason you'd *want* to insert someone else's HTML into your page. All you have to do is make sure you only call your own routes. |
There was a problem hiding this comment.
We should mention that this can be enforced with htmx.config.selfRequestsOnly = true and that this will be the default in htmx 2.
| For example, let's say you're building a dating site, and it lets users share a little bio about themselves. You'd render that bio like this, with `{{ user.bio }}` being the bio stored in the database: | ||
|
|
||
| ```html | ||
| <p class=bio> |
There was a problem hiding this comment.
| <p class=bio> | |
| <p class="bio"> |
There was a problem hiding this comment.
Not using quotes is legal and fine
There was a problem hiding this comment.
True, but (1) it's inconsistent because other places in the article are using quotes and (2) this is a security-focused article and specifically recommends using quotes, so why not get into the habit everywhere?
There was a problem hiding this comment.
You're right, I was just going to come back and say that
There was a problem hiding this comment.
I stand by my no-quoting style!!! But it's not appropriate for this article specifically
|
Thanks so much for the review @yawaramin :) |
* Add htmx security essay * Change user id prop * Typo fixes * More typos * Add ruby templates and fix "use" typo * Change paragraph structure slightly * Rephrase JSON note * Rephase JSON security point * Yawar edits * Add note about flask
* Add htmx security essay * Change user id prop * Typo fixes * More typos * Add ruby templates and fix "use" typo * Change paragraph structure slightly * Rephrase JSON note * Rephase JSON security point * Yawar edits * Add note about flask
New essay about security