Htmx + safe attribute doesn't work

kitajs / html

🏛️ Super fast JSX runtime to generate HTML strings that works everywhere. If it supports string we got you covered.

http://kitajs.org/discord

MIT License

581 stars 29 forks source link

Htmx + safe attribute doesn't work #26

Closed fecony closed 1 year ago

fecony commented 1 year ago

Have simple example of Elysia/html plugin, kita and htmx

Elysia endpoint

app.post('/clicked', ({ html }) => html(<script>alert("hacked!")</script>))

Component with htmx tags

const Component = () => (
    <button
        hx-post="/devtools/clicked"
        hx-trigger="click"
        hx-swap="innerHTML"
        safe
    >
        Click Me!
    </button>
)

results injecting and running js code... maaaaaybe I need to sanitize it on server then?

fecony commented 1 year ago

Sanitizing on server works as expected. I just wanted to make sure it is how htmx works there or if it can be fixed

arthurfiorette commented 1 year ago

This is intended behavior. the safe attribute only has effects when the inner createElement call is made. No extra JS code is sent to the client, so there's no way to do that. You should use safe attribute where you would interpolate with user generated content, not as a html response sent from a server.

fecony commented 1 year ago

Thanks for the clarification ❤️