It's often in comments in the JS file(s) -- sometimes with the licenses quoted entirely and sometimes in a form abbreviated by an automated code packer. Probably a lot of sites aren't actually compliant with the terms of the licenses doing things that way, but IANAL.
Since character filtering is all about edge cases, I would like to note that if someone uses an FF14 character name as a display name, the game allows for apostrophe and hyphen and will have a single space.
It's not a huge edge case population wise (unless you're building an application focused on that community or genre), but as others have said it's much safer to prevent the injection from happening in the first place using an interface rather than try to figure out all the way a user can break out of a constructed string.
Looks pretty good. I could use it to rebuild my simple HTML and CSS only webpage. Having a lot of HTML files that you have to modify manually every time you want to update them is pretty boring and exhausting.
a browser extension i use for a cursory check is ‘WAVE evaluation tool’. which examines your webpage and reviews your structure, tags, color contrast etc. Like what you posted in your own response, you can always just learn to use a screen reader. i use NVDA and it didn’t really take all that long to learn how to use it. you will certainly gain a new perspective if you do.
hope this helps!
apologies on redundant sharing. the previous comments were not loaded for me.
HTTPS is already end to end encrypted. It's literally what it's for. TLS is everywhere: SMTP/IMAP (emails), even OpenVPN.
What about it are you trying to improve on? There ain't much you can do on a website, if the connection is intercepted then everything falls apart because the attacker already has the ability to modify whatever your server is sending, so any encryption you'd do in JS is compromised before it even runs.
If you can make an app, then you can do something called certificate pinning which effectively gives the client the public key of the server to expect. It guarantees that the client will only talk to the right server, and if that is broken, then literally everything is broken and nukes are probably about to get launched.
Most encryption uses the same primitives: RSA/ECDSA/DH to derive a stream cipher and then it's pretty much always AES these days, or sometimes ChaCha20, and usually SHA1 (broken) or SHA256 for message authentication.
E2EE makes senses when you're building say, a messaging app. There the E2EE is that the user's device holds the keys, so even the server can't see the message even as it stores it and sends it to the other device.
I may at times only have access to HTTP only (No HTTPS) which is one of the reasons why I want another form of encryption.
Encryption with most VPNs are more secure than HTTPS. Yes, the connection between the VPN server and the web server is not encrypted with the VPN and only HTTPS. However the encryption between the VPN and personal device is superior, not because it is relayed. My understanding is that HTTPS is "secure" for basic use, just like Windows 11 is secure. But not secure from five eye agencies unlike VPNs and other like systems like Tor and I2P.
My goal is to have a user connect to a web server and have it not possible for the web server to know what is going on, nor can anyone snooping the packets in transit know what is going on. Not know the HTML structure, form field data, etc.
And you cant use self signed certificates because?
They provide the same level of encryption. The benefit of a domain and a trusted CA issued cert is that browsers/os will automatically trust that the server is who its said it is (ie you dont get a warning).
But if you import your servers root CA to your OS, then your OS (and browser) will automatically trust any cert issued using that root cert, thus you dont get a warning.
With or without a warning, it will still encrypt at TLS1.3
Bun is designed as a drop-in replacement for Node.js. It natively implements hundreds of Node.js and Web APIs, including fs, path, Buffer and more.
The goal of Bun is to run most of the world's server-side JavaScript and provide tools to improve performance, reduce complexity, and multiply developer productivity.
If it can replace node and pnpm at the same time then this sounds quite good actually.
While Vite currently works with Bun, it has not been heavily optimized, nor has Vite been adapted to use Bun's bundler, module resolver, or transpiler.
So it can also do tooling like vite but it primarily aims to replace node as a better and faster js runtime since they're rewritten most js api in zig and c++ from what it shows on their github. I'll give it a try sometime and see if it's really all that fast and easy as it claims.
I would 100% use Wordpress. It's far and away the most mature option with the most diverse ecosystem of plugins. That survey you linked to is hardly a controlled study. I bet a lot of the folks using Wordpress would have low satisfaction with other CMSes.
Also, part of the problem there is that that Wordpress ecosystem is highly enshittified and monetized (probably contributing to dissatisfaction, especially with people who were messing with Wordpress ten years ago and remember what it was like when there were a million cool Open Source plugins that did what ever you wanted for free). But there is still a lot you can do for free if you know your way around it.
You can get ChatGPT to write code for you, and it does some things very well, but don't use it if you don't know how to code yourself. It's asking for trouble of both the "security vulnerability" kind and the "I don't know how to put all these pieces together" kind. The best advice is not to deploy any AI written code that you don't understand. AIs confidently make mistakes and get stuff wrong all the time.
One thing that ChatGPT IS good at is pointing you at Open Source plugins.
There IS a big security concern with self hosting Wordpress, but wordpress.com's hosting is pretty affordable.
Given your use case and the fact you seem willing to spend a little money, I think Wordpress with Divi is a solid choice. There are lots of good Divi tutorials on Youtube.
It's more expensive than Squarespace which is a main reason I chose Squarespace in the first place. I created a test site today to experiment with Wordpress and it seems that Wordpress has as much or more functionality than Squarespace, but much of it is hidden behind 3rd party addons, which may or may not be free. And you basically have to look up articles for "how to do x on Wordpress", whereas with Squarespace it's build-in and easier to accomplish.
So I think for people starting out, Wordpress is harder to use since you don't even know what it's capable of.
Divi is more expensive than Oxygen, so if I use something other than Gutenberg it will probably be Oxygen.
WordPress.com is horrendous and extremely expensive, and their practices are scummy. Divi is also fucking garbage. That other user has no idea what they are talking about.
Also, if memory serves, plain old HTML4 allowed you to load partial html files within a main page and they'd render as expected, which completely beats the reasoning behind the "why use web components" on the piece (reusability, maintainability)
I think you would be pleasantly surprised by the direction web dev is moving if you gave it a chance.
For example, I suspect that you think one of the ways the web has gotten shittier is because sites are too bloated and JavaScript frameworks are too heavy and slow.
One of the key takeaways is that, across almost all frameworks and stacks, web dev is moving back to doing as much work on the server-side as possible, while retaining the minimum necessary interactivity via Islands of Interactivity with much lighter JavaScript than what was pushed for the last decade.
Web Development
Top