the DOM isn't useless on the server if you take that DOM that you've built up, serialize it and send it
where exactly are you expecting the attack vector to occur? between when you serialize the DOM you've built up and sent it across the wire?
> And yet, TFA is doing it wrong in an example meant to showcase the virtues of HTMX.
is it? i thought it was showing off some HTML generation thing they are working on in PostgREST. yeah, they are gonna need to get their HTML generation working w/escaping if they want people to really use it to generate HTML, like all the other HTML generation tools do...
> where exactly are you expecting the attack vector to occur? between when you serialize the DOM you've built up and sent it across the wire?
I'm expecting there to be some minor mismatch between what the serializer considers worth escaping, and what the parser considers to have some special meaning.
> the DOM isn't useless on the server if you take that DOM that you've built up, serialize it and send it
And you're still not reading. The DOM is useless on the server, you still need to serialize and parse it.
> the idea that securing hypermedia driven applications is hard is dumb, it's been done successfully for decades now
And yet, TFA is doing it wrong in an example meant to showcase the virtues of HTMX.