HTMX IS INSECURE (XSS) | Prime News

  Рет қаралды 123,524

ThePrimeTime

ThePrimeTime

Күн бұрын

Пікірлер: 491
@emilhauk
@emilhauk Жыл бұрын
You should never trust anything that comes into your backend from the outside. Frontend validation of input is great for providing error messages without needing a round-trip to the backend, but your backend should always assume incoming data is hostile.
@lubricustheslippery5028
@lubricustheslippery5028 Жыл бұрын
It was more about the frontend trusting what is coming from the backend. HTMX is taking data from the backend and changing the HTML without validation. (If you can't trust your backend you may need to rethink it... So you should do what you say and filter for XSS attacks when outside data comes in to your backend not only for SQL injections)
@ivanjermakov
@ivanjermakov Жыл бұрын
I agree. FE validation for UX, BE validation for security and data integrity.
@tablettablete186
@tablettablete186 Жыл бұрын
But, but Google Web Integrity will solve this! (Yeah, this is sarcasm)
@jonnyso1
@jonnyso1 Жыл бұрын
Yep, that's my rule of thumb, front end validation is an UX thing, backend validation is a security thing.
@ja31ya
@ja31ya Жыл бұрын
@@lubricustheslippery5028 This isn't a new problem, you would do this no matter what framework you're using, so using this as an argument against HTMX is fallacious. Of course if you can't trust 3rd-party content (untrusted server), you're going to sanitize it before injecting it as HTML into your page; that's just common sense. If the argument is that it's too easy to not realize everything is injected, I would say that's a skill issue, not an inherent flaw of the system. If I give you a knife and you cut yourself with it, that's not an inherent flaw in the knife, that's your inability to use it properly.
@lcarsos
@lcarsos Жыл бұрын
When I learned webdev, it was straight PHP, no JS. That's why I like HTMX. It's like coming home. I can render everything on the server again, but now I don't have to send whole pages back. This whole "You didn't sanitize your form inputs" kerfuffle is weird. It's the web, literally anyone can curl anything at any of your rest endpoints. You should ALWAYS be server-side sanitizing. Anyone that thinks the remote client is trustworthy should watch multiplayer game development.
@zebraforceone
@zebraforceone Жыл бұрын
What I love about HTMX is the potential to do both client and server side sanitization from the same document object model, I've experimented with this in the past using HTML5's pattern and required, it's great to see this approach being embraced
@coldestbeer
@coldestbeer Жыл бұрын
So why not use php? Let me guess you have ptsd from being bullied.
@sircalvin
@sircalvin Жыл бұрын
@@coldestbeer php isnt as bad as people say it is, but its not good. also htmx lets you use any language on the backend, so you can use the one that actually fits youre problem best, instead of php or js for no good reason
@coldestbeer
@coldestbeer Жыл бұрын
@sircalvin but if you're using php & use laravel for backend framework, you can just use blade templates & you got htmx.
@quintencabo
@quintencabo Жыл бұрын
Yeah exactly, people often forget people can just completely ignore your client. Always check on the server. On the client is just for convenience.
@themrubios
@themrubios Жыл бұрын
Seeing React developers discover how the web works and being spooked by things that have been solved for more than two decades is super entertaining.
@shrin210
@shrin210 Жыл бұрын
Yup, as a Reactjs dev i needs to learn more. But I know every tool is great whether jQuery, php, Reactjs or Htmx. It is always devs fault not the tools fault.
@randyfelts4625
@randyfelts4625 Жыл бұрын
Soooo much this. I pulled out of ui work years ago to focus on back-end. I came back to ui to learn the latest fads (React, Angular, etc...). I'm mostly disgusted with the beautifully overloaded javascript. We were doing much cleaner, faster, and responsive web sites with well designed AJAX 2 decades ago. That experience showed me why most "modern" web sites have become so trashy.
@VojtěchJavora
@VojtěchJavora Жыл бұрын
​@@shrin210well, I mean some "tools" are inherently insecure.
@RamkrishanYT
@RamkrishanYT 11 ай бұрын
"look at all these jrs, clearly unlike me: a senior"
@ryanleemartin7758
@ryanleemartin7758 11 ай бұрын
@@RamkrishanYT he's not wrong though.
@maxtaylor3531
@maxtaylor3531 Жыл бұрын
Did you know that if you leave yourself vulnerable to XSS you’re vulnerable to XSS?
@almcchesney
@almcchesney Жыл бұрын
Right!?! And this just in, sql is insecure because if you leave yourself vulnerable to Sql injection, you're vulnerable to Sql injection!!!
@DropShotPat
@DropShotPat Жыл бұрын
Right, like what is the argument against SQL, SQL injection reigned as the #1 cybersecurity exploit for almost 20 years only dropping to #3 in 2020, the lesson seems to be sanitize the inputs.
@Slashx92
@Slashx92 Жыл бұрын
@@DropShotPat DONT USE SQL!!! DONT YOU KNOW ABOUT SQL INJECTION?
@nodidog
@nodidog Жыл бұрын
I can see devs reading this statement, and reacting like the mitchell and webb comedy sketch 'A Bigger Spoon'
@DoubleM55
@DoubleM55 Жыл бұрын
@@DropShotPat The lesson is not "sanitize the inputs" in case of SQL injection. Why do I hear this so many times? It's not it. The lesson is: "Use proper prepared statements so parts of user input can't be executed as SQL". Users can still enter shit like "WHERE 1=1;" in "email" field, and it will simply be stored in DB table as plain text, never treated as code.
@abhinavadarsh7150
@abhinavadarsh7150 Жыл бұрын
Complexity intruduced by interactivity was the main reason we switched to frameworks from template and server rendered html. HTMX solves it. Time to move back to old days..... HTMX will be loved more by backend devs (like me) beacuse we will have more control.
@__Brandon__
@__Brandon__ 9 ай бұрын
Just add something similar to htmx to html6 and let the browser handle it. There's no reason JavaScript should be a requirement to use a modern website
@AlbatrossCommando
@AlbatrossCommando Жыл бұрын
"You can get XSS if you reflect raw user input back" really isn't the point they think it is.
@fulconandroadcone9488
@fulconandroadcone9488 Жыл бұрын
Hacking your self with copy paste.
@definitelyno
@definitelyno Жыл бұрын
@@fulconandroadcone9488 please learn basics of reflected xss :)
@pastenml
@pastenml Жыл бұрын
HTMX is too secure. We need HTMXSS
@slotos
@slotos Жыл бұрын
If frontend sanitizes, nothing stops me from donning a “I’m a frontend” t-shirt and tell the backend there’s “gullible” written on its lungs.
@yuliusseraph4973
@yuliusseraph4973 Жыл бұрын
Hey backend the gay says what!! Backend: what?.. ... oh
@Dan_1348
@Dan_1348 Жыл бұрын
Obviously the backend needs to sanitise, but some people aren't aware that frontend sanitisation does actually provide a defence in depth security benefit in niche cases where an attacker has restricted abilities e.g. to mess with user input. And of course there's a more obvious defence in depth benefit to sanitising what you get back from the backend before you attempt to render it.
@slotos
@slotos Жыл бұрын
Backend sanitizes data it needs to store and present authoritatively. Frontend sanitizes data it fetches and needs to present authoritatively. All for the same t-shirt wearing, lung drawing reason. And IMO, frontend sanitization when sending data doesn’t really restrict attacker, it merely filters out script kiddies and “too eager to modify forms” single neuron bastards like me. Frontend does shine when one needs to _structure_ input data close to the point of truth though.
@victorpetrescu13
@victorpetrescu13 7 ай бұрын
If you "sanitize" on front, you don't sanitize the input, you sanitize the output. Imagine the following case: data inputed script alert('whatever'); script (I removed the tags notation because I don't know how much youtube would read into that). Lets say now that is not sanitized on back, and you save it exactly like that (not a good idea, but to exemplify why front sanitize works vs xss if done corectly). Now you read the data (well... another user does and it goes to his browser in a comment, listing, whatever). If the front just removes the tags for example (not a perfect sanitization, but again, example), that becomes a simple useless ugly string. The attacker can ofc disable that sanitization BUT he can only do that for himself (because for other users, you control the interface). So yes, you can sanitize the output on front as a counter to xss. Specifically to xss.
@Necessarius
@Necessarius Жыл бұрын
The same kind of people who made an insecure site in php 5, years ago are the same kind of people who now don't understand HTMx and think it's insecure. Skill Issue
@orbatos
@orbatos Жыл бұрын
"But the X is scary"
@SXsoft99
@SXsoft99 Жыл бұрын
as i always said "it's not the language it's the monkey between the chair and the keyboard"
@asdqwe4427
@asdqwe4427 Жыл бұрын
@@SXsoft99 htmx is not a language
@fulconandroadcone9488
@fulconandroadcone9488 Жыл бұрын
@@asdqwe4427 Yea sure, next thing you will say HTML and CSS are not real langue next? They are real and very much ready to hurt your feelings.
@konstakuosmanen
@konstakuosmanen Жыл бұрын
​@@SXsoft99it's a PEBCAK
@sentgine
@sentgine Жыл бұрын
In my opinion, sanitization should always be implemented on the backend, regardless of whether or not the frontend is handling it. Generally, the backend is a much safer environment to perform these tasks, as it allows greater control over your code. Since anyone can manipulate things on the frontend and send them to the server, prioritizing backend sanitization ensures a higher level of security.
@stellarwind932
@stellarwind932 Жыл бұрын
if you sanitize on the clients side you should do it on the data you receive from the backend and not / not exclusively on the data sent. however, it is still a better idea to sanitize on the backend for performance reasons imo
@ElektrykFlaaj
@ElektrykFlaaj Жыл бұрын
@@stellarwind932 why should i sanitize data received from the backend if i sanitize before sending on the frontend? I don't get the connection here. In my job the data is validated and sanitized on the backend and additionally validated on the frontend for the UX reasons (imagine having bad connection and having to wait for validation each time you try to submit)
@tommy_1446
@tommy_1446 Жыл бұрын
​@@ElektrykFlaaj If you sanitize before sending you are still vulnerable to XXS attacks. It is a matter of opening the development tools and checking which post request is being made. Then you can just send an analogous request skipping the sanitization step. Basically, you cannot assume that any checks performed by the frontend will not be skipped by a user with programming skills. You can either sanitize the input sent by the server in the frontend or sanitize it in the backend (the most sensible choice), but you should not sanitize it in the frontend before sending it.
@bobbycrosby9765
@bobbycrosby9765 11 ай бұрын
@@ElektrykFlaaj because I can open developer tools, see what endpoints you're hitting, and pass it whatever the fuck I want.
@DrKartoffelsalat
@DrKartoffelsalat Жыл бұрын
This is hilarious. People figured out this stuff decades ago when we all build our little projects with PHP and we always had to sanatize server-side (the days before the SPA and reactive websites). I do wonder if modern web devs are actually capable of thinking outside their training-wheel bubble sometimes.
@stoogel
@stoogel Жыл бұрын
It's a problem with people starting with React and not plain DOM manipulation
@lordmushroom723
@lordmushroom723 Жыл бұрын
facts@@stoogel
@iWhacko
@iWhacko Жыл бұрын
I still make websites with plain HTML5, backend technology doesnt matter. but always have to sanitize user input, I don't see how this is different. You're right, it's like new dev's have never heard of this before. They probably would be open to SQL injection attacks if they didn't have training wheels with prepared statements etc.
@DanteMishima
@DanteMishima Жыл бұрын
They aren't. They absolutely aren't.
@MrTerribleLie
@MrTerribleLie Жыл бұрын
@@iWhacko Most probably don't even use SQL because they drank the NoSQL flavor aid. The hoops you have to jump through to perform what would be a simple task in SQL always amaze me.
@AhmetTemizTR
@AhmetTemizTR Жыл бұрын
It's not safe to use htmx if you can't trust the hypermedia content coming from the backend. But in this case, don't you have a bigger problem?
@anthonydugarte
@anthonydugarte Жыл бұрын
do you know what sanitizing is?
@litpath3633
@litpath3633 Жыл бұрын
@@anthonydugarte i think he is saying, your server is already rektified and sending malware to all your visitors, but if your server is compromised, no client framework would help
@Rohinthas
@Rohinthas Жыл бұрын
Man, my Professor for WebEng had to listen to so many people complain about how outdated his course was because he was focussing on the basics of HTML and jQuery, data sanitization, attack vectors etc. This was not long ago and now I'm sitting here wondering how many of my class mates would re-x the OP... I get that not everyone goes to Uni, but man, you cant just skip the basics and then act indignant when a framework doesnt do it for you.
@fulconandroadcone9488
@fulconandroadcone9488 Жыл бұрын
If you skip on security it will come to bite you. If it is no longer viable attack vector there is a reason for it and if you don't know what is the reason for it you might skip on it. And then you will very much know what the reason if for the rest of your life.
@terezip2213
@terezip2213 Жыл бұрын
what in the ever loving fuck is a "re-x"?
@WoolieOG
@WoolieOG Жыл бұрын
@@terezip2213 people bending over to new twitter name, personally i will never stop using original name, "x" makes no sense in the sentence.
@jp263
@jp263 Жыл бұрын
@@WoolieOGthanks for explaining. Man X was a stupid rebrand
@DontFollowZim
@DontFollowZim Жыл бұрын
Of course sanitize on the back end. That ensures that if someone tries to send things to your back end without just filling out your form, it'll still get sanitized. Don't trust the front end to do it right
@RonaldTetsuoMiura
@RonaldTetsuoMiura Жыл бұрын
The problem is, people have been trained for years to not worry about xss, by modern ui frameworks and simplified sever side requirements (they mostly have to handle json, which have strict syntax). You must have used jquery+mvc to have the previous experience with server side input sanitization.
@enkiimuto1041
@enkiimuto1041 Жыл бұрын
Idk man, the first thing when I saw HTMX was "cool, I wonder what is the best way to sanitize it" If you are working on the backend, and you're not looking on how to make your server secure when using a new tool, that is on you.
@Homiloko2
@Homiloko2 Жыл бұрын
That's if you're a front end dev. If you're a backend dev, one of your first thoughts was probably sanitization. You should always sanitize on the backend, never trust the framework 100%.
@RonaldTetsuoMiura
@RonaldTetsuoMiura Жыл бұрын
​@@Homiloko2 Yeah, true. But the channels hyping htmx are mostly the ones that usually talk about frontend, making it seem that htmx is a replacement to react, instead of a complete shift of the development to the backend. That is the problem. Well, was. We already are passing the initial hype, and people are clearing things up.
@hannessteffenhagen61
@hannessteffenhagen61 Жыл бұрын
@@RonaldTetsuoMiura Well, it's always a matter from where you're coming from. In my circles it was more a "cool, we can easily add some interactivity to our mostly static backoffice apps without having to spend a bunch of extra time on frontend development", so basically just do the same thing we did before just add some `hx-****` on some elements and otherwise keep doing the same thing we did before.
@stvetsch
@stvetsch Жыл бұрын
It's like don't use databases because there's SQL injection, and the "proof of concept" is just some script where SQL is string concatenated with raw user input. No one would do that - you would use parameterized queries for that. Similarly if you render HTML on the server you would use a templating engine/library which most likely provides HTML escaping already (most of the times you have to specifically disable escaping like in Twig or Jinja2).
@smallfox8623
@smallfox8623 Жыл бұрын
That would make sense if htmx was presented as an addition to SSR templating engines but if you go to their website it's presented as a frontend framework and even directly compared to react. If people go in expecting it to behave like react then they must be aware that they need to handle XSS vulnerabilities themselves. Edit: Also "It's like don't use databases because there's SQL injection" is almost a valid argument only you replace database with raw-dogging your own database connector which is an argument people make and it's a good argument. Content sanitization be that for the purpose of preventing SQL injections or XSS attacks is difficult so we often make use of pre-existing tools that build on previous knowledge regarding these attacks. It's almost never a good idea to implement your own solutions when security is involved.
@heroe1486
@heroe1486 Жыл бұрын
​@@smallfox8623 I've always seen it mentioned as a tool to be used with frameworks like Django (without DRF) and thus with templating engines, might be a marketing issue on their front page then
@Slashx92
@Slashx92 Жыл бұрын
@@smallfox8623 I have to agree with actualwafflesenjoyer. Even react call itself a "library". HTMX calling itself a frontend framework is meaningless. HTMX presents itself as a tool to render and update html server-side using https verbs. That's the tool. If you assume every "frontend framework" will have all the bells and whistles, including security, you are in bad luck
@rtachallenger
@rtachallenger Жыл бұрын
There is 3 things i can be sure about in this life. 1. We all die 2. Jeffrey epstein didn't kill himself 3. ThePrimeagen won't turn off alerts before recording a yt video on stream
@nicholastoo858
@nicholastoo858 6 ай бұрын
4. You can have victory over sin
@InkFPS
@InkFPS Жыл бұрын
HTML being extended to embrace the concepts of HTMX sans JS. Sounds like the web world my 2010 self wants to live in (was react a mistake?). The only requirement is to maintain the HTMX viewpoint of "don't care, just give me hypermedia".
@Slashx92
@Slashx92 Жыл бұрын
"don't care, just give me hypermedia". Love it
@cristi724
@cristi724 Жыл бұрын
This thing happens with "backend" devs that learn a web framework when they start out, like Laravel, and skip the whole "this is how the web works" part of the learning curve. When they step out of the frameworks it's sqli and xss galore.
@zed5790
@zed5790 Жыл бұрын
That's why they should start with a secure framework like django!
@J0R1AN
@J0R1AN Жыл бұрын
If you use any popular templating framework in the backend, you are almost completely safe from Reflected XSS
@lavender0666
@lavender0666 Жыл бұрын
When's the last time you had a pentest done?
@J0R1AN
@J0R1AN Жыл бұрын
@@lavender0666 I know this is a generalization, (am a security researcher myself), but it’s not very useful to overcomplicate security things. The “issues” HTMX introduces can all be fixed by using a templating framework the way you are supposed to. For correctness I added some more vagueness to my comment, but my point is that the risk these Twitter people are talking about is very small in practice
@lavender0666
@lavender0666 Жыл бұрын
@@J0R1AN ah alright that's fair, thanks for the clarification
@Alec.Vision
@Alec.Vision Жыл бұрын
Validation belongs at the API layer. Your clients should never consume 3rd party APIs, but instead proxy them through a BFF API that handles sanitization for both incoming data (sql injection) and outgoing data (xss). In case you just have a very simple use case. No need to worry about scaling issues, so just do it wherever it's convenient 🤷‍♂️
@yuliusseraph4973
@yuliusseraph4973 Жыл бұрын
TJ, the guy with 0 experience of doing the web, what a presentation of TJ
@ryangrogan6839
@ryangrogan6839 Жыл бұрын
Never trust input, regardless of where it comes from. Someone can easily bypass the front end sanitization by sending hand crafted requests. Don't trust the back end unconditionally because attackers could alter source code. I prefer sanitization on the receiving end. So, you would sanitize incoming data, not outgoing data. Back end sanitizes incoming requests from the front end; front end sanitizes requests coming from the back end.
@Slashx92
@Slashx92 Жыл бұрын
That makes a lot of sense
@surfer_silver
@surfer_silver 10 ай бұрын
@ryangrogan6839 - Best comment here !!!
@nairanvac79
@nairanvac79 Жыл бұрын
I'm insecure, too, but that doesn't stop people from using me
@BrianKessler
@BrianKessler Жыл бұрын
Backend should never trust the frontend. Frontend should never trust the backend. What's between the chair and the machine should never trust the machine.
@RealDevastatia
@RealDevastatia 11 ай бұрын
C-3PO has been saying it in every episode for the last 40+ years.
@WyzrdCat
@WyzrdCat Жыл бұрын
I'm a front end dev and I'm not shook, I've always felt that way, why is JS required for so much, and HTML stopped getting better? In the beginning all the stuff that you would just *always* use JS for became HTML/CSS functionality. :hover for example. And web dev could have sooo much less complexity to it.
@0xCAFEF00D
@0xCAFEF00D 10 ай бұрын
It's shocking to me that implicitly these devs who claim htmx is insecure are implicitly admitting they'd create security vulnerabilities in it without the guardrails in server -> client. Meaning their servers are probably _pwned_ the moment they handle raw user input from clients.
@lauraprates8764
@lauraprates8764 Жыл бұрын
The correct sentence is: "HTMX is the most dangerous thing in a while for dumb developers, in contrast to React HTMX doesn't pet you, you'll need to grow up"
@Slashx92
@Slashx92 Жыл бұрын
"HTMX is the most dangerous thing in a while for 'React/etc developers', web developers have handled this for a while"
@RealDevastatia
@RealDevastatia 11 ай бұрын
Frameworks are for people who don't like programming. The solution is to choose another career path.
@nopnop4790
@nopnop4790 Жыл бұрын
If you only sanitize the frontend, wouldn't you be vulnerable to people just disabling your js and then sending crap to your backend anyway?
@mage3690
@mage3690 Жыл бұрын
As a complete and utter noob, I think the front end should sanitize things, because the front end is the one place where your code is locked, vaulted, firewalled, and generally completely immune to malicious intent unless any potential bad actor has the keys to the kingdom anyways. . . . Wait, that's the back end? Shit.
@defidelity
@defidelity 8 ай бұрын
glad you said the first sentence.
@Maric18
@Maric18 Жыл бұрын
wait wait wait if i as the server send the client some javascript, i would expect them to execute it (on my authority/origin/whatever) how is this not the default and expected behavior?
@그냥사람-e9f
@그냥사람-e9f Жыл бұрын
yeah HTMX is vulnerable to XSS X: Skill S: Issue S:
@_jay.h
@_jay.h Жыл бұрын
HTMX is just AngularJS reincarnated lol
@heckyes
@heckyes 9 ай бұрын
It's really just "XMLHttpRequest" with some training wheels. I love the shit out of it.
@lashlarue7924
@lashlarue7924 9 ай бұрын
Dear Prime: Thank you for enlightening me. Your videos help me to narrow the scope of what I need to learn next. You have ultimately saved me a lot of time by helping me to focus on the things that are important to know that allow me to build the stuff I will want to build in the future.
@franciscokloganb
@franciscokloganb Жыл бұрын
First heard about HTMX in 2020, I was very close to adopt it on a Django project, before I decided to learn Vue because I found it way more flavorable than React and the advantage of employability. I do not regret my decision, but back then, I always praised how HTMX was so stupid simple and could one day replace React _et al._ in quite a few web applications; Especially simple sites. I can only assume that nowadays, it's even better.
@zeocamo
@zeocamo Жыл бұрын
NEVER TRUST the FRONTEND, people can fake to be the frontend and send stuff you don't want. IT is always the backend the ensure valid input. or you are done.
@EskoLuontola
@EskoLuontola Жыл бұрын
Sanitization needs to happen right before generating the output format, when it's known what the output format is. Otherwise, if you pre-emptively sanitize everything as early as possible, you'll reinvent PHP's magic quotes. 🤢 When generating HTML, escape the data for HTML. When generating JSON, escape for JSON. When generating SQL, escape for SQL (using database engine and configuration dependent escape sequences). When generating CSV, escape for CSV (and hope the reader is configured to unescape using the same CSV variant). If the data is pre-emptively escaped for HTML, but then one of the clients uses it to generate PostScript, you'll have XSS or garbled characters in your PostScript document, unless you take care to undo the HTML escaping before generating the PostScript. Prefer generators which automatically handle the escaping. HTMX doesn't generate the HTML, so obviously it's not its responsibility to escape the HTML. The HTML templating library of your choice should handle it. You wouldn't generate HTML by string concatenation, the same as you wouldn't generate SQL by string concatenation, right? Otherwise you're back to writing PHP à la 1999.
@jorgegomezreus7019
@jorgegomezreus7019 Жыл бұрын
Gone back to day 0 of Prime forgetting to turn off the alarms
@JamesMurphy1984
@JamesMurphy1984 Жыл бұрын
I'm sure Little Bobby Drop Tables would disagree about backends sanitising inputs
@chris-pee
@chris-pee Жыл бұрын
ITT people have no idea how XSS attacks happen
@oschonrock
@oschonrock 10 ай бұрын
I love HTMX.. because I am still used to doing it that way from 15yrs ago... with a bit a of jquery back then. But really I love that someone has made a minimal and canonical implementation for what you need in 95% of cases, and it's NON-INTRUSIVE. it's LOOSELY COUPLED. It doesn't say anything about what you must use on the front-end or the backend, or what you build system needs to look like (just don't have a build system!). IMO it makes 95% of the world's JS obsolete. And that has to be a good thing!
@StiekemeHenk
@StiekemeHenk Жыл бұрын
The back end has to sanitize as well as the front end. The back end will never accept any bad data, even if someone tries to directly use the API and mess with it. The front end should sanitize what it sends and receives so that the rest of the functions work properly and nothing gets fucked where you don't expect it to. If data is transfered, consider it dirty, always sanitize it and you're always safe.
@AlibabaKingOfCongo
@AlibabaKingOfCongo Жыл бұрын
In general, any outside input to any piece of software should be validated and/or sanitized. This is one of the most important concepts of secure software development.
@Spookyhoobster
@Spookyhoobster Жыл бұрын
A frontend bug is not the same thing as a compromised server. Sanitation isn't cheap and can add a ton of complexity/friction when it comes to maintenance. There's always going to be edge cases where something like "sanitizing in the frontend" makes sense, but it's completely unnecessary 99% of the time when it comes to standard webdev because most frontends should have as little responsibility as possible. Sanitizing in the backend is *always* a must.
@DrKartoffelsalat
@DrKartoffelsalat Жыл бұрын
Frontend sanitizing is good for UX, that's about it. Realisticly it's easy to bypass and manipulate. You can't trust the front-end sanitization (which you'll have to do in JS) is actually being applied before a request gets send to the backend. Heck try to frontend-sanitize my curl request to your backend :P
@MultiMrAsd
@MultiMrAsd Жыл бұрын
There is actually a major advantage to sanitization in the frontend. You have access to the exact parser that is going to execute it. There have been a lot of xss attacks that exploited a difference between the implementation on the server and the client in some edge cases.
@13thxenos
@13thxenos Жыл бұрын
Any one who is serious about using XSS, won't be stopped with a frontent sanitization. You can quite easily bypass the frontend all together.
@Obamanamamama
@Obamanamamama Жыл бұрын
Hot take but if you need a framework to protect you from xss you probably aren’t that good of a Developer
@RealDevastatia
@RealDevastatia 11 ай бұрын
If you need a framework period, you're not a good developer.
@marklong2060
@marklong2060 Жыл бұрын
We need a library of custom web components built with HTMX and Tailwindcss...then we can go home early and sleep like a baby.
@k225
@k225 Жыл бұрын
Shocking! HTML documents and HTTP servers are all dangerous... because if you let users upload .html files inside the web root/asset directory... users can 0wn your site 😲 Did someone not get the memo 30-odd years ago and remained sheltered from basic reality until now?!
@mattrs1
@mattrs1 Жыл бұрын
Htmx+flask = newbies wet dream Source:I'm a newbie
@ruudlaff10
@ruudlaff10 Жыл бұрын
Everything in this chat comes from how almost the entire industry pivoted into being "React", with people being specialists in just that alone. None of these conversations even begin if people truly understand the fundamentals of coding for the web.
@iWhacko
@iWhacko Жыл бұрын
frontend sanitisation??? was that really a question? an attacker could just send crafted http requests that would not be sanitized. wth?
@laughingvampire7555
@laughingvampire7555 Жыл бұрын
and that is why is insecure because people have to do the job in the backend, that means all these poor souls who have been sacrificed to the altair of react.complexity have to learn a real backend framework
@sismith5427
@sismith5427 9 ай бұрын
I prefer Phoenix Frameworks Liveview implementation for this server powered reactive UI's concept. always feels far more tightly coupled to server. Helps when the ecosystem for both the underlying language and the web framework as well as the websocket powered reative UI share so much collaboration from the creators themselves, Elixir is doing this really well atm
@u9vata
@u9vata Жыл бұрын
Backend validation is must - if you only validate on client then I go visit your page and look at communications and willl call your server endpoints with compromized data.... okay... I will not - but trust me someone will ;-) So validation can only safe server-only or server+client (just for faster UX maybe)
@dienand_
@dienand_ 9 ай бұрын
Never trust the client is my answer to the first question.
@CYXXYC
@CYXXYC Жыл бұрын
backend should sanitize if its possible for client to run something (like sql injection sanitization), but if its just a string to store and then a string to read (like html/css/js/whatever you allow for users to format), frontend should sanitize because of browser differences
@CYXXYC
@CYXXYC Жыл бұрын
by the way, you are totally allowed to modify your frontend, and hack yourself with xss, but others will not be hacked because their frontends sanitize for xss still
@ck-dl4to
@ck-dl4to Жыл бұрын
​@@CYXXYCIf you hack yourself, it shouldn't be "cross-site" scripting, right?
@freesoftwareextremist8119
@freesoftwareextremist8119 Жыл бұрын
No? Backend should render HTML and escape all texts spliced into the template. Something that every template engine already does for you. Problem solved.
@CYXXYC
@CYXXYC Жыл бұрын
@@freesoftwareextremist8119 oh you do you. in my personal opinion templates are a mistake
@freesoftwareextremist8119
@freesoftwareextremist8119 Жыл бұрын
@@CYXXYC And how do you like to generate your HTML?
@RayAndrewsDev
@RayAndrewsDev Жыл бұрын
Also, scissors are dangerous because you might run with them while your eyes are closed
@teej_dv
@teej_dv Жыл бұрын
great guest. does he stream anywhere?
@TheHermitProcess
@TheHermitProcess 8 ай бұрын
This is tj devries. He’s on KZbin.
@wannabelikegzus
@wannabelikegzus 9 ай бұрын
I think this is a great demonstration of Jonathan Blow's talk about how software is getting worse. Part of his point was that programmers are so far removed from what's really happening on the computer that they don't think in those terms any more. Nathan James is so far removed from having to actually think about what his network communication actually consists of that he freaks out when something makes him do it again.
@liquidsnake6879
@liquidsnake6879 Жыл бұрын
you still need to sanitize server-side, have people forgotten that Curl is a thing and i don't need your FE app at all to be making REST calls to your backend?
@uplink-on-yt
@uplink-on-yt Жыл бұрын
Web servers generating HTML and serving it to the browser? Who invented that cr... Oh, wait, it's been around since Perl and CGI (the web technology, not the graphics). Use Twig, Blade, Jinja2, and their friends, and the conversation is so over.
@laniusdev
@laniusdev Жыл бұрын
Well, that are basics of securing server-side application. First: don't let your server be overtaken by hackers (seems pretty obvious). Second: sanitize / validate every input coming from the client. You say, frontend can sanitize / validate it and backend should just trust it? Have you heard of F12 'hacking tool' that allows you to edit basically everything on client-side? Have you heard about Server-Side Rendering att all? Php maybe? This new hot thing? Some people are just so much in a bubble or detached from reality, lol.
@timseguine2
@timseguine2 Жыл бұрын
htmx is the logical endpoint of HATEOAS. The only thing that would make things even better is if CSS was always advanced enough to allow for 100% semantic markup and absolutely no markup that is only required for purely visual purposes. It is way closer than it used to be. But I still often find stuff I can't do without wrapper containers even with custom html5 tags and modern css. To my mind we are getting closer every day to the web as Tim Berners-Lee originally envisioned it augmented with dynamic content. Especially since we are now in the evergreen browsers era of the internet, where you can pretty quickly transition to the bleeding edge in most deployment scenarios without worrying too much about compatibility. I think TJ is right that this type of thing should eventually be just part of the normal W3C spec of what HTML should be able to do. I am confused by the fact that so many react devs are apparently fundamentally confused by how hypertext works.
@m4rt_
@m4rt_ Жыл бұрын
Sanitize any form of input that the user has. ANYTHING they can mess with.
@DanteMishima
@DanteMishima Жыл бұрын
We make the web better by leaving it alone and not trying to fix things that arent broken
@michaelmammoth1010
@michaelmammoth1010 8 ай бұрын
As a fake doctor, I was taught in fake medical school that you should never depend on the client to sanitize data. That's insane.
@D4ngeresque
@D4ngeresque Жыл бұрын
We are SO back to the jQuery golden age, bros.
@TurtleKwitty
@TurtleKwitty Жыл бұрын
Since vue is so great for progressive enhancement by having components outside of full apps have a feeling HTMX + free flaoting vue components for those things that do need frontend interaction (say a markdown editor for a blog site, without server input from each keystroke which would be insane) will be the way of the future now we just need a good server implementation for common cases instead of everyone making their own
@hamm8934
@hamm8934 Жыл бұрын
I like this idea
@somenameidk5278
@somenameidk5278 Жыл бұрын
couldn't you use webcomponents for that? those seem like free floating components for drop-in interactivity without a framework
@TurtleKwitty
@TurtleKwitty Жыл бұрын
@@somenameidk5278 That is an option too if you prefer that option, but in the context of "I want a framework" vue makes MUCH more sense
@ankk98
@ankk98 10 ай бұрын
The framework by design should prevent bad things from happening by default. For example, rails sanitize content going into erb by default. Developers are humans, they always make mistakes. Developers should not even need to know the intricacies of XSS, and everything should work fine. Else bad things will happen as we see in PHP apps.
@kevinkkirimii
@kevinkkirimii Жыл бұрын
I am still trying to understand the issue. Isnt validation of data your responsibility ? Htmx is fine
@Sw3d15h_F1s4
@Sw3d15h_F1s4 Жыл бұрын
imo backend should sanitize since you could theoretically have multiple front ends, take netflix for example. Let the powerful beefy server do all the work, instead of writing sanitization for your android app, web interface, desktop app, console app, etc.
@RaveYoda
@RaveYoda Жыл бұрын
Like... yeah, who lets users just pass data in without checking what it is? Honestly, the single authority is the server who ends up repeating validation anyway. Validation front side is for user convenience- It's certainly not security.
@AllSentientFreeman
@AllSentientFreeman Жыл бұрын
Who the hell does not sanitize server side? Wtf? Never trust the user.
@ThePrimeTimeagen
@ThePrimeTimeagen Жыл бұрын
this, yes, 100%
@lancemarchetti8673
@lancemarchetti8673 Жыл бұрын
As computing evolves, hypertext protocol will most probably not😂
@bradchellingworth5973
@bradchellingworth5973 5 ай бұрын
Validation and sanitization needs to be performed on the back end in my opinion, Its the last gateway before your database, and even if the HTML was sanitized, you still need to sanitize against sql injection etc.
@SilverPaladin
@SilverPaladin 8 ай бұрын
This is not an insecure package problem, this is an ignorant developer problem.
@laughingvampire7555
@laughingvampire7555 Жыл бұрын
my issue is that Carson confuses html with hypermedia, hypermedia is having interactive non-linear content connected by links and this can be done without html, like info pages in linux or hypercard in macos or gopher pages or vim docs or orgmode or markdown or djvu etc. HTML is just a format of hypermedia and any format can be included as long as it is a node in the graph of hypermedia node would be content + links, and with JSON APIs people have made HATEOAS sites
@ThePrimeTimeagen
@ThePrimeTimeagen Жыл бұрын
that is a very specific, niche upsetness. communication is often through reduced "btw"s because it becomes annoying. prefacing everything you have to say to be the most technically precise is an increasingly annoying thing its called htmx, its centered around html, its ok to call it hypermedia. it doesn't mean that something else "isn't" hyperemedia, its just not the focus.
@laughingvampire7555
@laughingvampire7555 8 ай бұрын
@@ThePrimeTimeagenmy point was never that "something else is hypermedia as well" my point is HTML is not hypermedia. HTML is plain text that describes hypermedia, just like the word "apple" is not an apple (the fruit or the company) precision is necessary when we do engineering or science or anything related to machines.
@Koroistro
@Koroistro Жыл бұрын
That genius was able to hack himself, did Tom start a new career in frontend development?
@the-nasim
@the-nasim Жыл бұрын
Htmx + AlpineJs = 💪😎
@unowenwasholo
@unowenwasholo Жыл бұрын
So HTMX doesn’t have a vulnerability, it’s just easier to write vulnerable code yourself.
@aroymendez
@aroymendez Жыл бұрын
the most crazy things in ef, is think there are any js framework that is secure against xss
@Ali-sc6dh
@Ali-sc6dh Жыл бұрын
Regarding the recommandations of sanitizing HTML in the frontend rather than the backend, I think this comes from concerns regarding how malformed html is parsed differently in each browser. There is this great video of liveoverflow explaining that : kzbin.info/www/bejne/oniahmacqrOqaaM But basically when a browser receive malformed html, it will always try to correct it (by adding missing closing tag for exemple). But there is no global spec regarding this corrections which means every browser will have it own strategy to correct the html input. The issue becomes that trying to sanitize html on the backend will mean you will need to know the specific implémentation of each browser to make sure what is send is not vulnerable to xss attack. Where as if you validate the html on the browser, you won’t have to deal with this specific because you can work with the same html parser that will evaluate yout html input. Obviously my explaination is over simplified but the liveoverflow video above explain it really well imo
@Slashx92
@Slashx92 Жыл бұрын
That sounds interesting, thank you for the link
@freesoftwareextremist8119
@freesoftwareextremist8119 Жыл бұрын
You are not supposed to sanatize HTML like this. You escape it. Simple, problem solved. You can do this on the server. And in fact, every templating library known to man does that. And if you use HTMX you probably use one and don't concatenate HTML strings on the backend.
@Ali-sc6dh
@Ali-sc6dh Жыл бұрын
@@freesoftwareextremist8119 Well that only works if you're trying to fully sanitize user input (which is of course the most common use case). But sometimes you want to allow some html markup to be inputed by the user (for exemple in a blog app where a user can create a post with enriched content and formatting). In this case, you can't just escape the content since you need to eval it on the front-end It's in this case where sanitizing on the server-side can lead to vulnerability. A malformed HTML could seem harmless at first but be evil once it's parsed ny the browser
@marvingudel605
@marvingudel605 Жыл бұрын
Had exactly this video from liveoverflow in mind when scrolling through the comments. Every browser trying to correct malformed html in its own way is a big problem imo.
@spicybaguette7706
@spicybaguette7706 Жыл бұрын
HTML parsing is fully defined by the standard though (google html spec, under the parsing section, I can't put the link in this comment). A proper sanitizing library does implement a full spec-compliant HTML parser. But of course, although rare, there may be some bugs. Side note: The reason you should always put at the top of your document is because it puts the browser in "standards mode" as opposed to "quirks mode", which IIRC also influences the way the browser parses your document
@JLarky
@JLarky Жыл бұрын
6:41 the guy who has 0 web knowledge seems to make good points
@chewbaccarampage
@chewbaccarampage Жыл бұрын
HTMX is like Pheonix Liveview for everyone. It's amazing!
@nathanalberg
@nathanalberg Жыл бұрын
There's still state on the client with htmx... its just not in js... its in html. A list of tweets displayed by htmx to the user is still state... that can become stale if the user sits there and reads them for 10 minutes before interacting with it.
@happygofishing
@happygofishing Жыл бұрын
WWW needs to depreciated long live Gemini.
@binh1298ify
@binh1298ify Жыл бұрын
someone should make a "every Prime video ever": I FORGOT TO TURN OFF THE ALERT THANK YOU SO MUCH
@constantine8601
@constantine8601 10 ай бұрын
I consider myself as a Junior php laravel developer.. with max 6 month experience... at the begining I thought this was a Joke... Im definitely not an expert but even I DONT GIVE A F... what is sent from client side, i sanitize everything on backend... thanks a lot... i feel that im on the right learning path
@arturober
@arturober Жыл бұрын
Even if you inject XSS into the database, if the client uses a framework like Angular for example, the artack doesn't work. It doesn't do anything like innerHTML, parsing a string into HTML (which I consider a very bad practice). Even if you force an innerHTML, you have to DISABLE Angular sanitization for it to work on purpose..
@Iswimandrun
@Iswimandrun 4 ай бұрын
Backend should sanitize period unless you have peer to peer communication then the client receiving should sanitize before displaying
@jacmkno5019
@jacmkno5019 9 ай бұрын
Will have to see if HTMX ends up just being flagged as a vulnerability in security vulnerability reports. And that's the end of it... It doesn't matter if security can be fixed. Once it makes it to the report, you're done...
@ybumbu
@ybumbu Жыл бұрын
I agree with TJ's idea. I'm wondering why this isn't reality yet...
@JoaoPaletas
@JoaoPaletas Жыл бұрын
HTMX sounds a lot like a template engine that does not care about which server is behind it, as if someone made ASPX pages without the ASP ;-)
@ThePrimeTimeagen
@ThePrimeTimeagen Жыл бұрын
pretty much this
@RealDevastatia
@RealDevastatia 11 ай бұрын
My HTML parser blocks script, style, link, embed, and tags and anything that has *src="javascript: ..."* or *href="javascript: ..."* attributes. And that's on top of all of the usual input sanitization and SQL quoting.
@adamruck
@adamruck 5 ай бұрын
Of course no website should solely rely on front end sanitization. Anyone could simply write their own custom HTTP requests and bypass the frontend sanitization.
@danvilela
@danvilela Жыл бұрын
So this is the X from HTMX then? XSS? I see
@NoOnesBCE
@NoOnesBCE 11 ай бұрын
I don't get front end sanatizing wouldn't that make the backend vounerable for attacks?
@__christopher__
@__christopher__ 11 ай бұрын
17:00 wasn't that exactly the idea of XHTML2? (note the X at the beginning, not the end!)
@achuthvp6789
@achuthvp6789 Жыл бұрын
Reflected XSS is a major vulnerability. The ability to run arbitrary javascript on a client with one click. A lot of possibilities that range from sending same origin requests to and logging responses to cookie stealing, which results in total account takeover. I didn’t see anyone else saying it so I said it : P
@pookiepats
@pookiepats Жыл бұрын
ok..
@arden6725
@arden6725 Жыл бұрын
none of these require a vulnerability. a browser isn’t trustworthy and things like same origin requests and only enforced by browsers. the whole point of reflected xss is it only runs on the attacker’s client, meaning it has no additional access
@smallfox8623
@smallfox8623 Жыл бұрын
@@arden6725 That's great until the attacker manages to steal the access token from an admin.
@lavender0666
@lavender0666 Жыл бұрын
​@@arden6725 you can still use it to do some damage, it's not as bad as DOM or stored sure but it's still a vulnerability either way, devs should be sanitising and using WAFs anyways so i dont see why someone running an insecure page locally is seens as proof
@miguelborges7913
@miguelborges7913 Жыл бұрын
The thing is that arbitary script is inserted by the same client.
@joeshmo546
@joeshmo546 9 ай бұрын
it triggers me a little bit that they don't seem to think being able to execute js on a website isn't vulnerable. Alert(1) is just a demonstration
@fastbike9845
@fastbike9845 Жыл бұрын
React developers are so far behind the times. We've been sanitizing input for decades.
@arturk9181
@arturk9181 Жыл бұрын
Front-end 'security' lol!
The Truth About HTMX | Prime Reacts
49:56
ThePrimeTime
Рет қаралды 380 М.
Game Devs Are Drowning In Complication
36:48
ThePrimeTime
Рет қаралды 263 М.
Real Man relocate to Remote Controlled Car 👨🏻➡️🚙🕹️ #builderc
00:24
The IMPOSSIBLE Puzzle..
00:55
Stokes Twins
Рет қаралды 176 МЛН
風船をキャッチしろ!🎈 Balloon catch Challenges
00:57
はじめしゃちょー(hajime)
Рет қаралды 98 МЛН
NO BUILD SYSTEM FOR HTMX???? | Prime Reacts
26:29
ThePrimeTime
Рет қаралды 58 М.
Poker's Greatest Tournament Run
34:43
EmpLemon
Рет қаралды 83 М.
"The Life & Death of htmx" by Alexander Petros at Big Sky Dev Con 2024
23:01
Montana Programmers
Рет қаралды 69 М.
Is HTMX a Joke??
32:15
Syntax
Рет қаралды 23 М.
Golang is BAD for SMART PEOPLE
27:25
ThePrimeTime
Рет қаралды 283 М.
Should You Still Learn To Code? | Prime Reacts
1:00:21
ThePrimeTime
Рет қаралды 356 М.
Why Would Anyone Hate TDD? | Prime Reacts
46:52
ThePrimeTime
Рет қаралды 152 М.
I am a Bad Software Engineer | Prime Reacts
26:06
ThePrimeTime
Рет қаралды 178 М.
HTMX Sucks
31:45
ThePrimeTime
Рет қаралды 153 М.