Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

In the bad old days, XSS was rampant because our views talked directly with our databases. Then we put templating engines and models in the middle and the problem seemed to be solved. Now we have XSS again because the database is the view?! This is a preventable problem!



I don't even hate the idea of generating HTML responses in the database (why not, that's where all the data is!), but this is very clearly not the way to do it. Those functions read like plain PHP scripts, and are obviously just as vulnerable. Just as PHP's problems are largely solved these days by frontend frameworks like Laravel, so could a frontend framework in the database solve the same problems here.

I have to say I always liked the Postgres project, but this kind of dangerous and wrong information in an official tutorial makes me wary of using the platform. Who knows what other lessons from the bad old days have been forgotten by the developers?


This doc was meant to be a POC, just to show what's possible. We're working on migrating it to Mustache templates which do automatic escaping: https://github.com/PostgREST/plmustache?tab=readme-ov-file#e...

You're right though, we'll add a warning there. Thanks for the feedback.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: