← Back to context

Comment by rafram

1 day ago

> exercise in vibe-coding

The code shows it... Your escaping routine seems OK, but you really __should not__ be building HTML and JS(!) using raw string interpolation. Or letting the client decide whether the submission needs moderation.

7 comments

rafram

Reply
hallak  1 day ago

I don't let the client decide whether the submission needs moderation :)

There's a very slightly different model in the backend that sends things to the mod queue. Strings are also sanitized there. But copilot really wanted to add all that logic to the frontend too and I thought it was funny

  • rafram  1 day ago

    You still should not be building HTML and JS using string interpolation.

    • hallak  1 day ago

      Absolutely! I've removed all references of HTML and JS using string interpolation.

      (jk)

      This is definitely a drawback with with vibe-coding. I never really write like HTML5 style code - at work I always use typescript with heavy ESLint, so never have to worry about this.

      I figured the string sanitization in the backend would take care of any XSS vulns, which was my main concern. But I will have to read into the dangers of string interpolation which I admit I do not remember too much about (outside of the XSS stuff I tried to mitigate).

      Thanks for giving the opportunity to learn... :)

      1 reply →

hyperhello  1 day ago

To be fair, everything on the client is raw string interpolation. It's only secure if you comprehensively vet everything once it's on the server.

  • rafram  1 day ago

    That's absolutely not true. Sanitization on the client is significantly safer, because the client knows how it parses HTML, while the server can, at best, guess (and hope it follows the spec).

    When you set element.textContent = someUserGeneratedContent, the browser guarantees that the user-generated content will never be parsed as HTML.

    response.write("<div>" + sanitize(someUserGeneratedContent) + "</div>") has no such guarantee.