(developer.mozilla.org)

170 points todsacerdoti | 1 comments | 22 Oct 25 09:03 UTC | HN request time: 0.241s | source

Show context

dzogchen ◴[22 Oct 25 21:13 UTC] No.45675208[source]▶

Neat. I think once this is adopted by HTMX (or similar libraries) you don't need to sanitize on the server side anymore?

replies(1): >>45675272 #

dylan604 ◴[22 Oct 25 21:19 UTC] No.45675272[source]▶

>>45675208 #

Do you honestly feel that we will ever be in a place for the server to not need to sanitize data from the client? Really? I don't. Any suggestion to me of "not needing to sanitize data from client" will immediately have me thinking the person doing the suggesting is not very good at their job, really new, or trying to scam me.

There's no reason to not sanitize data from the client, yet every reason to sanitize it.

replies(4): >>45675347 #>>45675432 #>>45675693 #>>45676358 #

1. padjo ◴[22 Oct 25 21:59 UTC] No.45675693[source]▶

>>45675272 #

Sanitize as close as possible to where it is used is usually best, then you don’t have to keep track of what’s sanitized and what’s not sanitized for very long.

(Especially important if sanitation is not idempotent!)

↑

Element: setHTML() method