htmx sounds great! I am interested in this from the security angle. If browsers were to natively support htmx (or something similarly declarative), it might reduce the need for Javascript and hence improve security.
It definitely helps improve your security complexity over things like, say, GraphQL, where row-level security is necessary to prevent people from firing off random queries from the browser console.
There are a couple of places in the code where eval()/Function code are fire off which require some security-thinking:
hx-vars evaluate expressions to include in the request. This is a bit more dangerous, because you might try to pass values through with this mechanism. If this includes user input then you should use hx-vals instead:
There are a couple of places in the code where eval()/Function code are fire off which require some security-thinking:
https://htmx.org/attributes/hx-trigger/
hx-trigger evaluate expressions for the event filter. This typically isn't an issue since you would be unlikely to use user input in this context.
https://htmx.org/attributes/hx-vars/
hx-vars evaluate expressions to include in the request. This is a bit more dangerous, because you might try to pass values through with this mechanism. If this includes user input then you should use hx-vals instead:
https://htmx.org/attributes/hx-vals/