Introduction
Hello! ð
In the ever-evolving landscape of web development, where the lines between server and client-side scripting blur,...
For further actions, you may consider blocking this person and/or reporting abuse
Yep really like htmx. I added alpine.js for the small bits of interactivity I need where it would be overkill to talk to the server
I didn't know about alphine! Thanks for telling me, I'll give it a look :)
HTMx is a good tool but it lacks several other functionalities, in my opinion is just jQuery improved.
If you are curious about functional programming I highly recommend Elixir and Phoenix LiveView.
reddit.com/r/elixir/comments/198cg...
Here is an interview with Jose and he talks about HTMx and Hotwire meaning that they are Imperative tools.
please, I can only get so hard
If everything is in HTML, wouldn't the user be able to make changes to the HTML to change especially things like a PHP script to trigger? It seems dangerous if the random script name somehow triggered something in the backend
If user can make HTML, that would be vulnerable. Usually, there is an escaping feature on most common templating languages anyway. Escaping the user content would be enough to prevent that.
If some HTML or anything rendered to HTML is necessary, the developers need to allow only safe attributes. It is like how to prevent XSS in traditional web applications.
inside a form usually, we are adding a hidden field with the value of the csrf token. this token is created by the framework that we are using or with a custom algorithm. so in case of a post request, we are validating the hidden input filed value if it is equal to the value inside the backend. About escaping and sanitizing. in this example, the author gives the htmlspecialchars() that escapes every HTML character. so the users cannot add a malicious tags like and <script>. how ever if you want to delete every tag in site the user input you can use additionally the strip_tags builtin function that actually sanitizes every tag from user input and in optional second parameter you can define the acceptable tags. for more extreme sanitization you can use the builtin filter_var of PHP bellow I'm providing the documentations about htmlspecialchars, stip_tags and filter_var<br> Of course PHP provides much much more functionality to use for secure your application. It's just not forcing you to use them (like every vanilla language. Only frameworks are forcing you to use specific practices)<br> <a href="https://www.php.net/manual/en/function.htmlspecialchars" rel="nofollow">htmlspecialchars</a><br> <a href="https://www.php.net/manual/en/function.strip-tags" rel="nofollow">strip_tags</a><br> <a href="https://www.php.net/manual/en/function.filter-var.php" rel="nofollow">filter_var</a></p>
good point
I'm going to learn htmx right now