|
|
|
|
|
|
by OptionOfT
719 days ago
|
|
|
This one surprised me: https://www.sjoerdlangkemper.nl/2024/06/26/htmx-content-secu... <div hx-disable>
<%= raw(user_content) %>
</div>
So, I get that `raw` prevents htmx from being used. I get that `<script>` still works.But I find it scary that if `user_content` is `</div><div>...` that is actually injected, as raw HTML. I would expect that the `<%= raw(user_content) %> only has access to contents of the div it is in itself, and nothing more. But instead I understand that the HTML is injected as text (?) and then re-parsed (?). |
|
|
In Angular, for example, the template is parsed into a DOM tree, and then template variables are placed in the correct place. This makes injection really hard. In the above example, it would be impossible to break out of the div.
Other template engines just do a string search/replace, and this makes injection easy. Then it's indeed possible to break out of the div just by injecting </div>.
The example you quoted comes directly from the HTMX docs. They don't specify which template system is used, and I don't immediately recognize the syntax to limit it to a specific template system.