Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I'd love to use HTMX at work. Sadly the security folks would probably balk at checking in JS code that uses eval(), even though you can disable eval at runtime in the HTMX config.

I thought about writing a script to remove all references to eval (and all tests relying on eval), but at that point it would probably be easier to just rewrite the library.



eval can be disabled at the CSP level, which is much better than at the source level (which can always be obfuscated, missed in a version update, etc)


It can be, but then you discover how marketing added lots of gtag and other content which is already full of eval ;)


oof




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: