← Back to context

Comment by hallak

2 days ago

I don't let the client decide whether the submission needs moderation :)

There's a very slightly different model in the backend that sends things to the mod queue. Strings are also sanitized there. But copilot really wanted to add all that logic to the frontend too and I thought it was funny

3 comments

hallak

Reply
rafram  2 days ago

You still should not be building HTML and JS using string interpolation.

  • hallak  2 days ago

    Absolutely! I've removed all references of HTML and JS using string interpolation.

    (jk)

    This is definitely a drawback with with vibe-coding. I never really write like HTML5 style code - at work I always use typescript with heavy ESLint, so never have to worry about this.

    I figured the string sanitization in the backend would take care of any XSS vulns, which was my main concern. But I will have to read into the dangers of string interpolation which I admit I do not remember too much about (outside of the XSS stuff I tried to mitigate).

    Thanks for giving the opportunity to learn... :)

    • mh-  2 days ago

      > Absolutely! I've removed all references of HTML and JS using string interpolation.

      I love that this is becoming a meme, haha. Thanks for the laugh.