Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

If we don't care about the UX, then it would be more "convenient" for the developer to just not write the program in the first place.

Using string templating makes the DX better without compromising UX, since users just see the rendered output. Implementing bad/nonexistent web security also makes the DX easier since there's simply fewer features to implement, but this obviously has negative consequences on UX when folks have their accounts/credentials easily stolen.



Using string templating for HTML is bad/nonexistent web security, so by your argument it does compromise UX.


By your argument, everyone using string templating for HTML has bad/nonexistent web security. I disagree.


Not everyone, just the people whose pages display untrusted inputs. Which is a huge fraction of the modern web...

(The rest just have brittle websites that might break when someone uses certain punctuation for the first time.)


Ah okay I see now you were referring to failure to sanitize inputs/outputs in the original comment. I don't know if this oversight occurs more often when using string templating, but I'm pretty sure this was already a problem long before string templating came into practice.


It's literally the reason why HTML templating is done with other means than string concatenation, these days.


Isn't that why server side validation exists? What's wrong with letting the user enter whatever they want? It doesn't mean it has to be accepted.


Validation can force usernames to be a-z but it doesn't work on freeform text. Forum comments should be able to state that the HTML open comment syntax is <!--


Not really. Lots of template engines escape and/or sanitize interpolated expressions, according to the context, by default.


Well that goes far beyond what I think of as "string templates", now you're parsing the string into HTML.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: