Since character filtering is all about edge cases, I would like to note that if someone uses an FF14 character name as a display name, the game allows for apostrophe and hyphen and will have a single space.
It's not a huge edge case population wise (unless you're building an application focused on that community or genre), but as others have said it's much safer to prevent the injection from happening in the first place using an interface rather than try to figure out all the way a user can break out of a constructed string.
You don't need to escape any content for storing in a DB field.
Use the correct database interface and you're good.
I'd be more concerned about intention and intentional design. Arbitrary characters can be misleading or problematic for users. Using an allow list for accepted username characters is a good approach if you can't depend on good intentions of users.
Any field in a DB can be vulnerable to SQL injection. Filtering out characters is a terrible way to mitigate that attack, you should be using prepared queries where it does not matter what chars you have in your username or password. You should never form a query with string concatenation.
You may want to limit chars in a username to ones allowed in URLs (or even ones that don't need escaping) if you ever want it to appear in a URL though. Or any other places the user name might be used, but a entry in a DB should not matter.
There are a lot of edge case characters around visually indistinguishable names. If that is a concern usernames should use a restricted known character sets instead of trying to block specific characters. You likely should also treat lookalike characters as equivalents when checking for username overlap.
Looks pretty good. I could use it to rebuild my simple HTML and CSS only webpage. Having a lot of HTML files that you have to modify manually every time you want to update them is pretty boring and exhausting.
I still can't get to grips with the islands directory causing separation from my other components, it feels weird because both islands and components are components, I think Next.js' approach of having a use client string at the top of the interactive component makes much more sense because your component directory structure can mimic the app/pages directory layout.
Honestly it's the only thing keeping me from jumping over to Fresh.
a browser extension i use for a cursory check is ‘WAVE evaluation tool’. which examines your webpage and reviews your structure, tags, color contrast etc. Like what you posted in your own response, you can always just learn to use a screen reader. i use NVDA and it didn’t really take all that long to learn how to use it. you will certainly gain a new perspective if you do.
hope this helps!
apologies on redundant sharing. the previous comments were not loaded for me.
By far the best first step you can take is to try it yourself. Follow a ten-minute tutorial on how to use one (Rob Dodson has good introductions, such as this one on VoiceOver - this is really a case where videos work best to learn), and then see if you can manage to navigate your web app using it. Ideally even with your screen turned away, but that's probably too had at first, and also makes it hard to see what's going wrong.
There is a WAVE browser extension and some others, you can also use one of the screen readers yourself. I think that’s actually really helpful. I haven’t done that in a while but I remember when I did the screen reader functioned pretty differently than I thought it would
Yeah definitely. Someone sent me a pretty good article that recommended that you use a screen reader a little bit on your own stuff, one for making sure it's accessible, but two because it teaches you a different way to look at your design process.
IDK how much in depth time I'm planning to commit to this whole thing but I do think applying a screen reader is necessary if I'm going to claim my stuff works with it. I can't really see it being all that effective just to apply the right classes and hints to the existing page and hoping it all works out without testing it...
Yes, certainly. It sounds like some/most members of the team don't understand the stylesheet architecture of your project and it's vital to sort that out ASAP. The more time passes, the harder it will get to get everything back on track.
Try to avoid finger-pointing and this shouldn't be a very hard conversation (assuming they aren't super stubborn).
As a side note, the fact that you first address this issue on the Fediverse and not in your team makes me think that maybe there are some underlying issues regarding trust and open communication. You might want to further look into that. Take it with a large grain of salt though. I don't really know anything about your team so it's likely that I overdramatize the situation.
That sounds like a pretty straight forward and simple conversation.
Do you do code reviews? Have code owners? If you (or a set of people you trust) were required to sign off on changes on the base files that aren't supposed to be changed willy-nilly, you could catch it before it went to main
Web Development
Hot