> if someone manages to inject arbitrary HTML If they can, why wouldn’t it be in... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		elmigranto on July 2, 2024 \| parent \| context \| favorite \| on: Htmx does not play well with content security poli... > if someone manages to inject arbitrary HTML If they can, why wouldn’t it be inline <script>?

amluto on July 2, 2024 [–]

Because CSP can be configured to block inline scripts.

jsheard on July 2, 2024 | [–]

The syntax to allow inline scripts is even "unsafe-inline" to emphasize that you are entering the danger zone.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact