top | item 36090089

(no title)

1lint | 2 years ago

By your argument, everyone using string templating for HTML has bad/nonexistent web security. I disagree.

discuss

Not everyone, just the people whose pages display untrusted inputs. Which is a huge fraction of the modern web...

(The rest just have brittle websites that might break when someone uses certain punctuation for the first time.)

1lint|2 years ago

Ah okay I see now you were referring to failure to sanitize inputs/outputs in the original comment. I don't know if this oversight occurs more often when using string templating, but I'm pretty sure this was already a problem long before string templating came into practice.

hirvi74|2 years ago

Isn't that why server side validation exists? What's wrong with letting the user enter whatever they want? It doesn't mean it has to be accepted.