Hacker News new | ask | show | jobs
by rafram 323 days ago
> exercise in vibe-coding

The code shows it... Your escaping routine seems OK, but you really __should not__ be building HTML and JS(!) using raw string interpolation. Or letting the client decide whether the submission needs moderation.
2 comments
hallak 323 days ago
I don't let the client decide whether the submission needs moderation :)

There's a very slightly different model in the backend that sends things to the mod queue. Strings are also sanitized there. But copilot really wanted to add all that logic to the frontend too and I thought it was funny

link
rafram 323 days ago
You still should not be building HTML and JS using string interpolation.
link
hallak 323 days ago
Absolutely! I've removed all references of HTML and JS using string interpolation.

(jk)

This is definitely a drawback with with vibe-coding. I never really write like HTML5 style code - at work I always use typescript with heavy ESLint, so never have to worry about this.

I figured the string sanitization in the backend would take care of any XSS vulns, which was my main concern. But I will have to read into the dangers of string interpolation which I admit I do not remember too much about (outside of the XSS stuff I tried to mitigate).

Thanks for giving the opportunity to learn... :)

link
mh- 323 days ago
> Absolutely! I've removed all references of HTML and JS using string interpolation.

I love that this is becoming a meme, haha. Thanks for the laugh.

link
hyperhello 323 days ago
To be fair, everything on the client is raw string interpolation. It's only secure if you comprehensively vet everything once it's on the server.
link
rafram 323 days ago
That's absolutely not true. Sanitization on the client is significantly safer, because the client knows how it parses HTML, while the server can, at best, guess (and hope it follows the spec).

When you set element.textContent = someUserGeneratedContent, the browser guarantees that the user-generated content will never be parsed as HTML.

response.write("<div>" + sanitize(someUserGeneratedContent) + "</div>") has no such guarantee.

link
Aachen 321 days ago
That's not sanitisation, that's separating data from executable code. It's a better solution when possible, but the solution suggested above also works
link
hyperhello 323 days ago
If that’s all you want, it’s trivial to replace all < and & with their encodings.
link