From 35eca4eb59189e98b6c7031378ae4c53f1fe8d37 Mon Sep 17 00:00:00 2001
From: Ben Croker <57572400+bencroker@users.noreply.github.com>
Date: Mon, 5 Apr 2021 09:41:27 +0200
Subject: [PATCH] Improved security section

Clarified how a CSP may not be enough to secure user content and why `hx-disable` is relevant.
---
 www/docs.md | 14 +++++---------
 1 file changed, 5 insertions(+), 9 deletions(-)

diff --git a/www/docs.md b/www/docs.md
index 74e58b09..c0bfb7f1 100644
--- a/www/docs.md
+++ b/www/docs.md
@@ -907,18 +907,14 @@ htmx allows you to define logic directly in your DOM.  This has a number of adva
 largest being [Locality of Behavior](https://htmx.org/essays/locality-of-behaviour/) making your system 
 more coherent.
 
-One concern with this approach, however, is security.  This is especially the case if you are injecting user-created
+One concern with this approach, however, is security. This is especially the case if you are injecting user-created
 content into your site without any sort of HTML escaping discipline.  
 
-You should, of course, escape all 3rd party untrusted content that is injected into your site to prevent, among other 
-issues, [XSS attacks](https://en.wikipedia.org/wiki/Cross-site_scripting). Attributes starting with `hx-` and `data-hx`, 
-as well as inline `<script>` tags should all be filtered.
+You should, of course, escape all 3rd party untrusted content that is injected into your site to prevent, among other issues, [XSS attacks](https://en.wikipedia.org/wiki/Cross-site_scripting). Attributes starting with `hx-` and `data-hx`, as well as inline `<script>` tags should be filtered.
 
-Note that it is important to understand that htmx does *not* use eval for most of its features. You (or your security 
-team) may use a [CSP](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) that disallows inline scripting.  This will 
-have *no effect* on htmx functionality, and is almost certainly not what you (or your security team) intends.
+It is important to understand that htmx does *not* require inline scripts or `eval()` for most of its features. You (or your security team) may use a [CSP](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) that intentionally disallows inline scripts and the use of `eval()`. This, however, will have *no effect* on htmx functionality, which will still be able to execute JavaScript code placed in htmx attributes and may be a security concern.
 
-To address this, if you don't want a particular part of the DOM to allow for htmx functionality, you may place a
+To address this, if you don't want a particular part of the DOM to allow for htmx functionality, you can place the
 `hx-disable` or `data-hx-disable` attribute on the enclosing element of that area.  
 
 This will prevent htmx from executing within that area in the DOM:
@@ -929,7 +925,7 @@ This will prevent htmx from executing within that area in the DOM:
   </div>
 ```
 
-This approach allows you enjoy the benefits of [Locality of Behavior](https://htmx.org/essays/locality-of-behaviour/) 
+This approach allows you to enjoy the benefits of [Locality of Behavior](https://htmx.org/essays/locality-of-behaviour/) 
 while still providing additional safety if your HTML-escaping discipline fails. 
 
 ## <a name="config"></a>[Configuring htmx](#config)