Once I did as a personal challenge and then you can get a list of common bugs that might lead to other problems. You can work one by one but then you get another list and you get another kick. But it is fun to try

I just remember log4j

Same, I prefer to implement myself most things but Date/Timezone management and security related stuff are 2 topics I don't want to touch if possible

@@rosco3 Oh god yes, f*ck Time management of any kind. Especially in JS.

Fun fact, html sanitation and this specific weirdness is what prevented a hackers malware from working on my phone(s). 😅 They shit in their own hand on that one

The HTML 5 spec is nearly entirely trying to nail down the least broken interpretation of existing content written against the wacky browsers of the time.

, etc. are a rare way to count items and basically ignoring , ... by parsing them as comments might be a concession to broken markup cleaners that tried to close those non-tags.

as it's really new... it might contain issues....

@@vaisakhkm783 Hey if you find any I bet there is a reward from google...

Cool, but its not supported in FF or Safari.

​@@vaisakhkm783IDK, I'd trust browser authors more with sanitizing HTML, since they wrote their own parser. It wouldn't surprise me if it used some of the browsers own html parsing logic

​@@spicybaguette7706until people figure out some no click exploit

Oh that is nice, I love jsoup

Markup languages seldom throw errors. It'd also be annoying to have an entire document not render for you just because they used something your renderer doesn't allow But you can enforce well formed HTML as a style guide for your project, which many people already do

@@seanthesheep Or block execution in case of malformed syntax?

Elon change to Tweslla

Twitter in 2006: "Its like text-messages, but for companies to do PSAs and engage with their audience like 'Our website is down, sorry!' or '25% discount at XYZ on friday'" Twitter in 2023: "yOU mUsT sIgN uP tO sEe tHiS tWeEt"

​@@ET_AYY_LMAO Twitter in 2006: nobody cared Twitter in 2023: nobody cares

@@jaydeep-pok

I can't wait for the day that someone responds to this with something along the lines of, "wow, I can't believe you predicted the future!!!". Twitter will fall and after a couple awkward years (shit, months?) the Internet collective will find a new hate machine where people say funny little things and receive death threats in response. What a time to be alive 😔

Another totally unrelated discovery I found common a decade ago or so is to not escape float arguments in SQL, right around where Gmap API was the next thing everyone wanted, I found so many sites where you could SQL inject the lat lng arguments on the endpoint for map data. This included the largest private buy and sell site in my country at the time, but their parent company scolded me at a job interview so I never told them about it >:) Nowadays everybody thankfully uses data binding instead of concatenation when building SQL in their applications.. (And yes I was able to get the user table by reading the database structure from INFORMATION_SCHEMA table in mysql and absolutely pwn the shit out of them, but I'm a nice guy that does this shit just for bragging rights)

@@blenderpanzi I really wanted to reply but youtube keeps deleting it lol.

@@ET_AYY_LMAO You can't include any URLs in KZbin comments. They get auto-deleted.

@@blenderpanzi Urls cover more than http, there is other protocols and pseudo protocols like mailto that could be 100% legit use cases as well as relative urls. But yes, always whitelist!

@@ET_AYY_LMAO Yes, as I said, you might over-block, but that is not as bad as having an injection. Add mailto: to the list of allowed protocols if you want to allow that. :D

You seem to have missed the bit at 1:15.

You can have hiphens in tag names. Custom elements need it as in

There's no way to get a regex for HTML, period. It is provably impossible, and applies to any language where the syntax requires you to match opening and closing brackets or any equivalent thing such as tags.

Nothing happened?

Heh. I get it now. Haha

😂 trying to defeat yt??

bravo, you win the internet :D

Guys, I actually found something, I know the comment looks ok, but when some of you liked it, my android notification showed "someone liked your comment ''". So, it proves that these problems are everywhere.

@@intron9 prob character limit?

It was explained at 8:53

@@DefineSyntax994 ahh I see, it treats it differently when it`s a closing tag, thanks!

because the HTML specification says the browser has to do that ;)

Does it count as a valid criticism that such a solution would probably be as fragile as its most fragile facet (the JavaScript successor), and, despite the people behind it, XHTML failed in the market because it had XML-style parse errors rather than HTML-style parsing recovery? That's a big reason I never use anything client-side templated like React/Angular/Vue/etc. in my own projects. If a transient network fault causes a CSS subresource to fail to load, the page will be ugly, but probably still usable. If an IT department's application firewall hasn't added the CORS header needed to serve up my font to their HTML header whitelist, the page will be ugly but should still function. If a templating or sanitizing mistake results in malformed HTML, there's still an opportunity for things to work, and for another layer like CSP to prevent any sanitizing mistake from being exploitable. I can use uMatrix and uBlock Origin to block ads and potential exploit vectors without the site doing a web equivalent to segfaulting. etc. etc. etc. Hell, Postscript *is* an actual turing-complete programming language in the vein of what you seem to be asking for and, when it was adapted into PDF, they took it further *away* from what you're asking for. Various exploits have occurred because of the need to run turing-complete code to render a PDF document, even with the bolted-on JavaScript support turned off. Various people prefer SVG over Postscript specifically because it's a more HTML-like declarative solution for describing a document. etc. etc. etc. Likewise, TeX is a programming language for document creation... people have been migrating away from writing it directly to writing declarative things like Markdown and reStructuredText and then programmatically translating to TeX code when they need to access its ecosystem of document typesetting extensions. ...not to mention that you're going to need an HTML-like DOM either way, because that's how screen readers and other accessibility tools see the world (GTK applications on Linux actually have an equivalent to a DOM explorer built in for their widget tree and ready to be turned on by an environment variable), and HTML has been drifting toward closer alignment with the accessibility DOM it generates over the last decade.

@@ssokolow Fragility would depend on the design. So if a committee designs it, it'll take a decade and start out okay, but then turn fragile as more crap is bolted on. If a group of OSS nerds develop it, then it'll be fragile from the start and over time converge on being hardy, but become more and more bloated than even a committee could make it and it would still suck. It would require that a single person with a good vision for it to stringently design it and direct its implementations. This is something that will never happen because corporations would never adopt such a system even if it was the best system. So to answer your first question, yes *and* no, with the dependence on which answer is correct based on who gets to design it.

@@anon_y_mousse I disagree. I have yet to be convinced that it's not a technical impossibility to make anything practical which incorporates turing-complete code (i.e. the part which does JavaScript-y things) as gracefully degrading as the HTML+CSS side of what we already have, regardless of who designs it. It's similar to how the power of a static type system or of Rust's "static, compile-time garbage collection" is in *restricting* what the system is capable of, to bring it to a point the computer can better understand your intentions.

@@ssokolow It's not a technical impossibility, it's a human adoption problem. But if you're a Rustacean then you won't understand, so there's no point in discussing it with you.

@@anon_y_mousse Wow. That's a big assumption out of nowhere. I could have just as easily pointed to C and C++ forbidding unconstrained GOTO instead. (It used to be commonplace for high-level languages to give you assembly language's freedom to jump into the middle of a function, bypassing its beginning.) I just wanted a second example to complement what static typing brings.