|
|
|
|
|
|
by Ayesh
720 days ago
|
|
|
HTMX always assumes that the incoming HTML is properly sanitized. If it isn't, the application is already vulnerable. HTMX triggers do in fact use JavaScript eval(), which will get blocked with a CSP that does not allow it. But you can use standard JS scripts to add events. The same goes for inline CSS. |
|
|