This site is being built in the open

I decided to start over on a twenty year old personal website. Things will definitely feel rough draft as I build up a world from scratch. You can follow along with the progress on the commits page.

🔒 Secure by default

Mon, 21 Dec 2020 03:27:32 GMT

Okay, this is definitely overthinking it. But because I’m developing in the open, I’d rather opt for a secure default.

The body of git commits is being processed via MarkdownIt. I had set html: true because it’s the default in 11ty. I knew the risk involved, which is stated more clearly in the Nunjucks docs:

Set true to enable HTML tags in source. Be careful! That’s not safe! You may need external sanitizer to protect output from XSS. It’s better to extend features via plugins, instead of enabling HTML.

This means that a nefarious commit could result in arbitrary JavaScript execution.

<script>alert('XSS');</script>

Will I ever make such a commit? Probably not. But if this approach was copied to a public site, that aggregated tons of commits without fine-toothed reviewing… yeah, definitely overthinking it.

What I like about embracing this constraint, is that it opened up a path to completely eliminate the only-used-once {% include %}.