UK Millionaire exodus did not occur, study reveals

[ackers]

Well I know of at least 1 person that left.

Htmx does not play well with content security policy

[ackers]

I don't see the point of this article, it's just common sense. If you plan which parts of the DOM are replaced using HTMX, never trust user input. You'll be fine. I use Golang with HTMX and it's amazingly productive.

[ramon156]

Not everyone's as knowledged, hence information should be shared

[yawaramin]

And fortunately, it was https://htmx.org/essays/web-security-basics-with-htmx/

[qsort]

I think the point is that htmx is in no way special. It's the same old category of vulnerability. It's why we have execvpe. It's why we have mysql_real_escape_string_no_really_we_mean_it_this_time().

I remember a similar point being made about LLM output. Now, I'm anything but a LLM fanboy, but if you pipe unknown text into a system interface that's squarely on you.

[esjeon]

I mean that's the point. Reminding people of possible dangers is one very important security mission.

[pessimizer]

I think the point being made that you're replying to is that it has nothing to do with htmx. It isn't htmx that's not playing well with content security policy.

[yencabulator]

Using htmx effectively prevents using CSP for security hardening.