|
|
|
|
|
|
by recursivedoubts
2032 days ago
|
|
|
It definitely helps improve your security complexity over things like, say, GraphQL, where row-level security is necessary to prevent people from firing off random queries from the browser console. There are a couple of places in the code where eval()/Function code are fire off which require some security-thinking: https://htmx.org/attributes/hx-trigger/ hx-trigger evaluate expressions for the event filter. This typically isn't an issue since you would be unlikely to use user input in this context. https://htmx.org/attributes/hx-vars/ hx-vars evaluate expressions to include in the request. This is a bit more dangerous, because you might try to pass values through with this mechanism. If this includes user input then you should use hx-vals instead: https://htmx.org/attributes/hx-vals/ |
|
|