Message from JavaScript discussions

November 2018

— But it does not matter, thanks for trying. 👍🏻


1. There is no reason for a server to unescape HTML while sending it through a websocket to be processed by JS

2. There is no reason why it would encode double quotes into single quotes during a proper unescaping process.

3. Sending HTML through websockets suggests you have more problems, like constructing DOM elements post pageload from strings, which have serious performance problems.

— 4. There is no reason for the HTML to have been stored as escaped HTML in the first place on the server, suggests huge input validation problems that stem from when this HTML was originally collected or entered.

Message permanent page

— And because of 1 AND because of 4, it's an obvious call to assume that ALL the stored HTML is unsafe and cannot be used for displaying, especially not if it contains any type of user-entered data

Message permanent page

— 1 and 4 is like painting your walls blue because you're gonna paint them red later

— Doesn't make sense

— Or like buying an apple and wrapping it in paper so you can unwrap it after

— And 2 is like wrapping it in a shitty way, so half of the apple is still showing

— Well what I see is that you judge colors with the ear.

— My ears are tuned with experience

— It doesn't matter what you're doing, this is the wrong way

— And why did not you give me a solution to my question? Or simply because you think something is wrong you prefer not to answer?

Message permanent page