- 0 Posts
- 48 Comments
I’ve heard nothing but good things about HTMX
I’ve only ever heard anything “bad” about HTMX and it was here on Lemmy, actually. I ran into someone who was absolutely certain that HTMX was unsafe by design because it leveraged HTML over the wire and was therefore susceptible to HTML injection attacks, specifically by injecting malicious scripts that could be ran from domains you didn’t control. I tried explaining that proper utilization of access-control headers innately prevented this because they worked on the browser level and couldn’t be intercepted or interfered with by HTML injection by design, but he kept insisting it was unsafe while refusing to elaborate. He was very wrong, of course, but also very confident.
I’ve heard similar from the worst first year CS students you could ever meet. People talk out their ass without the experience to back up their observations constantly. The indentation thing is a reasonable heuristic that states you are adding too much complexity at specific points in your code that suggests you should isolate core pieces of logic into discrete functions. And while that’s broadly reasonable, this often has the downside of you producing code that has a lot of very small, very specific functions that are only ever invoked by other very small, very specific functions. It doesn’t make your code easier to read or understand and it arguably leads to scenarios in which your code becomes very disorganized and needlessly opaque purely because you didn’t want additional indentation in order to meet some kind of arbitrary formatting guideline you set for yourself. This is something that happens in any language but some languages are more susceptible to it than others. PEP8’s line length limit is treated like biblical edict by your more insufferable python developers.
Yeah, but it’s still a Ship of Theseus problem. If you have a ship and replace every single board or plank with a different one, piece by piece, is it still the same ship or a completely different one, albeit an exact replica of the original. It’s important because of philosophical ideas around the existence of the soul and authenticity of the individual and a bunch of other thought-experimenty stuff.
This demonstrates a profound misunderstanding of HTMX, and how websites in general operate. So much so that I would not hesitate to describe this as somewhere between a baldfaced lie and just malicious incompetence. You can’t “invoke logic via HTML attributes,” but you can describe it. HTMX is a client side javascript library that parses custom elements you define in your HTML and uses the data described by them to initiate AJAX calls via the fetch() or XMLHttpRequest browser APIs, which CSP explicitly covers via the connect-src directive: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src. It’s literally just a javascript library that parses HTML and uses it to parameterize AJAX calls. If HTMX were somehow able to bypass CSP, then every single piece of clientside JavaScript in the world could violate it.
“Wow, these screen doors really suck. I’ve stuck them on my submarine, but they just don’t keep the water out at all. Some people are going to say that I’m a fucking moron and don’t understand the technology I use or that I’m too goddamn lazy to actually take the necessary steps to keep water out of my submarine, but I know they’re wrong and it’s the technology’s fault.”
In all seriousness, HTMX is a tool designed for a specific job. If you have an API that has either non-parameterized endpoints to hit or an endpoint that accepts a single integer value or UUID or…whatever to perform a database lookup and return stored values to be interpolated into the HTML that endpoint returns, then, great, you’ve got a lightweight tool to help do that in an SPA. If you’re using it to send complex data that will be immediately and unsafely exposed to other users, then…that’s not really what it’s for. So, I think the core issue here is that you don’t really understand the use case and are opposed to it because to use it in a way that is beyond or outside the scope of its established convention is unsafe without extra work involved to guarantee said safety. It also implies you are running a website with a content security policy that either explicitly allows the execution of unsafe inline scripts or which does not care about the sources to which a script connects, which is the only way you could realistically leverage HTMX for malicious ends. So, ultimately, the choice to not adopt comprehensive security measures is one you are free to make, but I wouldn’t exactly go around telling people about it.
how HTMX works and what it does inherently bypasses CSP
Well, no, not really. All HTMX really does are AJAX requests to remote resources, which are performed by interpreting attributes in HTML. You specify the type of request and the target for updating. Those requests can sometimes contain parameters, of course, but any API that accepts any kind of conditional or user generated input has to sanitize that input before doing anything meaningful with it. This requirement isn’t something particular to HTMX.
You fundamentally are invoking logic via HTML attributes, which bypasses CSP
This is not true, though. You are manipulating the DOM via HTMX, but CSP has nothing to do with dynamic content manipulation. CSP is more concerned with preventing the injection of malicious code. If what you’re referring to, however, is the possibility of someone maliciously injecting HTML with HTMX that performs some nefarious action, then I have to ask (again) why you didn’t properly sanitize user input or limit the possible connection sources in your CSP.
If you have a specific example, however, of a way in which HTMX by design violates CSP that can’t be dismissed with “you coded your website poorly,” I would love to know.
I think we’re gonna have to agree to disagree on definitions. To me, and I believe, to most people, an SPA refers to a UI/UX design pattern that can be implemented with any number of underlying techniques. I would also say that the Wikipedia page for SPAs (on the assumption that wikipedia is a valid tool for establishing consensus for definitions) supports my definition:
A single-page application (SPA) is a web application or website that interacts with the user by dynamically rewriting the current web page with new data from the web server, instead of the default method of a web browser loading entire new pages.
There are various techniques available that enable the browser to retain a single page even when the application requires server communication.
And it goes on to list frameworks, AJAX, Websockets, etc.
A SPA is *generally *“rehydrated” DOM elements from JSON data pulled from an API though. Where as HTMX is more akin to classic AJAX style page dynamism.
You’ll forgive me if I say this is an instance of splitting hairs and having a particular definition for something that includes extra qualities separate from what those terms are actually describing for most people. Also, things like, I dunno, React, are going to extensively use ajax to accomplish what they do. It’s literally just asynchronous javascript. It’s like someone saying “my vehicle of choice is a motorcycle” and then someone else saying “A motorcycle isn’t really a vehicle. It’s a transportation device with wheels. A car is a vehicle.” They are both vehicles. They both have wheels. The wheels are ajax. A page made with htmx and a page made with React are both SPAs.
Processes in most operating systems (I’ll use Linux, because it’s what I know and because…Lemmy) are organized in a tree like structure. There’s some initial very low level code used to start the OS, and every other process spawns from that, which is to say they tell the operating system “Hey, please make this process I’m gonna tell you about - allocate resources for it, etc.” The operating system creates it and binds that new child process to the first one. The process that spawned the other process is called its parent. The process that just got spawned is called a child. You could also call them root and leaf processes, I suppose, but nobody really does that. Sometimes you want to get rid of all the child processes a process spawns, but leave the running process intact. Sometimes you want to kill the process that spawned everything and also cleanup anything it might have created. There are lots of programming scenarios in which you might want to do either. It really depends on how your application is designed and what it’s doing.
That all said, there’s a command in Linux called “kill” and you can tell it the process id, process group id, etc. to kill a process or a process group. You can also manipulate what are called SIGNALS. Signals are a whole thing in Linux. They’re basically small values you can send to processes at any time and the operating system forces the process to perform some action whenever it receives one of them. SIGTERM basically stands for “SIGNAL: TERMINATE PROCESS.” So if you “trap” the SIGTERM, you can basically tell the operating system - whenever this parent process receives a SIGTERM, ignore it. The other processes in the process group - the child processes - all terminate, though, when they receive it.
Depends on whether or not you want to kill only the child processes of a parent process or if you want to kill the parent as well. To kill the parent and children, you can kill the entire process group, specifying the pgid in the kill command. To kill only the parent you can trap SIGTERM in the parent and then send SIGTERM to the process group.
An unpopular opinion, I am sure, but if you’re a beginner with something - a new language, a new framework - and hate reading the docs, it’s a great way of just jumping into a new project. Like, I’ve been hacking away on a django web server for a personal project and it saved me a huge amount of time with understanding how apps are structured, how to interact with its settings, registering urls, creating views, the general development lifecycle of the project and the basic commands I need to do what I’m trying to do. God knows Google is a shitshow now and while Stackoverflow is fine and dandy (when it isn’t remarkably toxic and judgmental), the fact is that it cuts down on hours of fruitless research, assuming you’re not asking it to do anything genuinely novel or hyper-specific.
There’s a lot of use cases where regex makes a lot of sense: complex log parsing, determining if a value entered is a valid phone number or email, syntax highlighting, data validation in ML preprocessing, etc. A lot of languages also come with certain features that allow regex to be more efficient than dumb string matching, such as the ability to pre-compile patterns and the flexibility of being able to choose between deterministic and non-deterministic finite automata, should you need efficiency for one use case and flexibility for another. It really depends on what you’re designing and how it’s going to be used, of course.
I would say you can expand that on the following criteria: 1) a lot of people can have read access, but only a few should have write access, and read access should be restricted to specific tables without PII. 2) The people with write access should go through a Change Approval process: they submit the SQL they’re going to run and someone else approves or denies it before it can be done. 3) Every piece of SQL that modifies a table should be annotated with a comment and the ticket number in it in which that change was approved. 4) You should be able to rollback any committed change within an hour of it happening.
This is a perfect example of corporate apologia combined with not really understanding the sentiment to which you are replying. Hell, I even started my rant by saying “I guess it’s a difference between what I like in a laptop versus what other people like in them.” Also there is something really pathetic about being defensive of a corporate product about which another person has elements that they find annoying or unintuitive. Nothing you have said counters any factual observation about the behavior of the system and can be effectively dismissed on the basis that the foundational premise of every statement is “well no system is perfect.” Yeah, there are flaws with everything. I happen to dislike the specific flaws with Mac more than I dislike the specific flaws of most Linux distros or Windows. Windows largely gets a pass on the basis that I’m not forced to use it for work or any kind of power user shit. I’m expected to do that with a Mac, which amplifies the amount of negative feelings I have towards it. Familiarity breeds contempt. This is not a new facet of reality only I’ve discovered, hopefully. If I had to work on a Windows machine fulltime I’d probably hate it about as much as I do the Mac. But then again, it would be kind of weird to come into a thread specifically about Macs and start ranting about Windows sucking. Which is what you’re doing in a lot of this reply. So…yeah, maybe go outside and touch some grass because somebody doesn’t like your favorite OS and elected to comment in a thread where that was the topic of discussion.
That said, a few specific points:
Lots of people in this thread seem to really, really like being able to window snap, which I kind of get but also generally disagree with
You can’t disagree with people liking something. You can dislike something yourself, but someone else enjoying a particular feature is super weird and comes across as bizarrely authoritative.
All laptop keyboards are bad
There’s not even an argument to make here. You’re just wrong. Comparative to the Macs, there are other manufacturers that produce far better quality keyboards than those found on pretty much any Macbook.
How is this supposed to be a negative?
It’s because the battery quality is an extension of having a very specific operating system running on a very specific processor. It’s an incredibly tight coupling of software and hardware. Yes, it’s highly optimized, but the optimization comes at the cost of having to use their shitty operating system. Linux will run on almost anything. You don’t get the level of efficiency, maybe, but you do have control. I value control over the things I own and use over virtually everything else.
Aside from darwin, the kernel macOS runs on, Webkit, the browser engine that Chrome forked from, or passkeys, the thing that might replace passwords, you’re still really wrong.
Well, first of all, darwin is based on FreeBSD, which was already open source, so, not like they blazed new trails there. That said, let’s ignore Apple’s walled garden ecosystem and their longstanding opposition to right to repair, which they only caved on recently because of pending legislation. Or the fact that Apple hardware is effectively non-modifiable after purchase by design. You mentioned something about graphics cards. You know what’s neat about graphics cards? The ones that aren’t integrated can be replaced or changed. Good luck changing something yourself in a fucking Mac. There’s also a lot of open source projects that have been restricted from the App store because open source licenses are generally incompatible with App Store TOS. And, while Darwin might be open source, a ton of components for iOS and their iPadOS are not. And before you say, “well, what about Microsoft, huuuuuuuh?” Yeah, they suck too. Multiple, different things can be bad for the same reason.
How about screens? Trackpad? Physical material, etc?
Screens are overly glossy for my taste. Trackpad quality is average, although the physical buttons for the trackpad have this weird “thocky” response that makes them feel as cheap and shitty as their awful keyboard. Physical material is also average. These are things I left out because I personally don’t care about them very much.
“I can get vastly less done, and it’s going to be more uncomfortable the entire time.”
I guess you ignored the part where I said good things that I like about that specific device which allows me to be more productive on it than on my Mac. Or is your entire post purely an exercise in misrepresentation and intellectual dishonesty? Which would be appropriate for something written in praise of Apple products.
No, you were discussing a feature I wasn’t even talking about. I have two working hands and no need for any accessibility features. I explicitly referred to a pointless mouse setting - as in a setting that is completely useless for an attached peripheral mouse device. As in, it lets you select a mouse, once again - like an attached, peripheral Logitech mouse, from a dropdown and apply specific, useless settings to that device which only make sense for a keyboard. Because it either can’t distinguish between a pointer device and a keyboard for that setting, or, more likely, the UI developers didn’t even bother to try and apply any kind of device filtering for it. So, I will reiterate: a Mac enthusiast with abysmal reading comprehension skills; how rare!
I wonder if the reason mine never produces any heat is because I use it as a 2500 dollar Slack and Outlook machine. Any true dev work takes place on my Thinkpad running Endeavor. Also Slack is like the poster child for Javascript tech debt because it was written in Electron. It’ll run literally anywhere, but make you wish it didn’t because it’ll hoard your system’s resources like a fucking dragon. Damn thing is bloated as hell and it won’t even let you schedule statuses in case you’re out of office for specific hours on set days. We should all go back to IRC. It’s not pretty, but at least you can automate shit on IRC without having to beg a third party company like Slack for an API token and without taking up 14 gigs of RAM in order to render a clown emoji.
I believe many of the display issues were fixed with the M2
I have an M2 and it has literally every display issue I’ve talked about here.
But I’m also sure Windows is great for you
I hate Windows. I have a single Windows machine that I use for a few specific things and then like…5 linux machines. And then the M2.
“quick call?”
“sure, I’ve got time for the two hour meeting this is going to be.”