Nowhere in the actual post was it implied that this was a recent event
Context clues suggest it's recent. The image in question is a twitter screenshot from 2/7/2024. The current date is 2/10/2024. People are going to assume the twitter screenshot is in reference to current events, instead of an old fucking news article from over a decade ago. It's called a lie of omission.
Bro, have you seen the front page. People post ragebait constantly. It's just typically "Boomers something something, Zoomers something something better." This is just misogynistic instead of ageist.
It's okay. Being a person is hard and communicating is a big part of being a person.
It's also dated 4/20. I'm amazed they didn't manage to sneak a 69 in there somewhere to get the full meme potential out of it.
I didn't pick up on the sarcasm in your description. And I'm usually pretty good at that. Not sure if that's a flaw in my reading comprehension or if your intent just didn't carry in that sentence. Maybe a bit of both.
picture of handwritten note taped to a window that criticizes Gen Z and praises Baby Boomers.
I'm not the brightest cookie in the toolshed but I know bait when I see it.
Edit: The top left hand corner of this is also dated 4/20. As the Brits would say "Someone's taking the piss."
follows Velma who is an amazing girl-boss who solves all the mysteries
Velma as a character was a lot of things, but she was mostly an insufferable, pathologically egotistical narcissist with hallucinatory delusions and severe mommy issues. Like, the show was horribly written, don't get me wrong, but let's not act like she was a Mary Sue.
Oh boy a semantic argument
It turns out the language you use can be semantically ambiguous or misleading if you phrase it incorrectly. Today you learned.
And any web dev who remotely understands the point of CSP and why it was created, should instantly have alarm bells going off at the concept of triggering arbitrary ajax via html attributes.
Oh, did you finally manage to fucking Google how HTMX works so you could fish for more reasons to say it's unsafe? What you're describing is not a particular concern to HTMX. If an attacker can inject HTML into your page (for example, through an XSS vulnerability), they could potentially set up HTMX attributes to make requests to any endpoint, including endpoints designed to collect sensitive information. But, and this is very important, this is not a unique issue to HTMX; it's a general security concern related to XSS vulnerabilities and improper CSP configurations.
Do you know what the correct cure for that is?
PROPER CSP CONFIGURATION.
“HTMX doesn’t bypass CSP! It just (proceeds to describe the exact mechanism by which it bypasses CSP)”
Do you genuinely not understand that CSP works on the browser API level? It doesn't check to see if your JavaScript contains reference to disallowed endpoints and then prevents it from running. I don't know how you "think" CSP operates, but what happens is this: The browser exposes an API to allow JavaScript to make HTTP requests - specifically XMLHttpRequest and fetch(). What CSP does is tell the browser "Hey, if you get an API request via XMLHttpRequest or fetch to a disallowed endpoint, don't fucking issue it." That's it. HTMX does not magically bypass the underlying CSP mechanism, because those directives operate on a level beyond HTMX's (or any JS library's) influence BY DESIGN. You cannot bypass if it if's properly configured. Two very serious questions: what part of this is confusing to you? And, have you ever tested this yourself in any capacity to even see if what you're claiming is even true? Because I have tested it and CSP will block ANY HTMX issued request that is not allowed by CSP's connect-src directive, assuming that's set.
CSP works on the browser API level - all HTMX does is what you could do yourself with any AJAX: send an HTTP request to an endpoint. If the CSP disallows that endpoint, it will fail.
Just to be clear, are you talking about some kind of templating library that literally transpiles all the htmx logic and instead packs it into individual ajax logic in js files “per element”, such that you don’t need to serve htmx client side and instead you pre-transpile all the ajax logic out to separate files?
My brother in Christ, what the fuck are you talking about "transpiling HTMX" and "serving HTMX client side?" You don't "serve" HTMX and there's nothing to "transpile into JavaScript." It is JavaScript. That's like saying you "serve React client side" and "transpile JavaScript into more JavaScript." Jesus, I feel like I'm taking crazy pills.
Cause the very start of my statements was that if we had something like that then HTMX would be fine, as a templating lib that transpiled out to html+js.
Oh, okay, so you don't actually know what HTMX is or how it works, then? Because HTMX (https://htmx.org/) is a JavaScript library. Like, literally just a JavaScript library. It's like....4000 lines of JavaScript. In fact you can read the source code for it here: https://github.com/bigskysoftware/htmx/blob/master/src/htmx.js. For some...insane reason you seem to think HTMX is its own language. It's not. It's...just a JavaScript library. There is no other language called HTMX. There is no other mechanism or tool called HTMX. No implementation or protocol or ANYTHING else. It's just a small JavaScript library.
invoke arbitrary logic with html attributes
Once again, HTMX enhances HTML with various attributes declaratively. It utilizes custom data attributes in HTML (like hx-get, hx-post) to specify how elements on the page should behave - essentially, how and where to fetch data or submit forms without a full page reload. This is a form of declarative programming that tells the htmx.js library (which is just doing fucking AJAX) what to do when certain events occur (e.g., a click or a form submission). The actions (like the actual requesting of data from an endpoint) are performed by the code in htmx.js.
This is a fancy way of saying "if you stick an hx-get attribute on a button, then you can just say where you want a GET request to go to and what element you want updated with the HTML returned from it and htmx.js will parse that out on page load and set an event listener for the button click to know when to initiate an AJAX request to the defined endpoint." If you had an hx-get attribute in an element in a page and that page didn't have the htmx.js library loaded it would do literally nothing.
And, once again, HTMX, being a JavaScript library, operates under the same security constraints as any JavaScript executed in the browser. This means that:
This is culture war propaganda meant to make people think this problem - false rape accusations - is far more common than it actually is by putting a spotlight on it. Actual instances of rape - typically happening to women - never receive the degree of media attention as stories like this. Probably because rape is really fucking common and there are over 100,000 instances of reported rape (and rape is an infamously under-reported crime) by women in the United States alone every single year, most of which lead to no jail time, prosecution, or even a police investigation into offenders.