From 469ca864389ca8dae3eee6bdebf7a080623cc0b5 Mon Sep 17 00:00:00 2001
From: Ben Croker <57572400+bencroker@users.noreply.github.com>
Date: Mon, 16 Nov 2020 12:55:35 +0100
Subject: [PATCH] Create hx-vals.md

---
 www/attributes/hx-vals.md | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)
 create mode 100644 www/attributes/hx-vals.md

diff --git a/www/attributes/hx-vals.md b/www/attributes/hx-vals.md
new file mode 100644
index 00000000..fe777bca
--- /dev/null
+++ b/www/attributes/hx-vals.md
@@ -0,0 +1,24 @@
+---
+layout: layout.njk
+title: </> htmx - hx-vals
+---
+
+## `hx-vals`
+
+The `hx-vals` attribute allows you to safely add to the parameters that will be submitted with an AJAX request.  
+
+The value of this attribute is a list of name-expression values in [JSON (JavaScript Object Notation)](https://www.json.org/json-en.html) format.
+
+```html
+  <div hx-get="/example" hx-vals='{"myVal": "My Value"}'>Get Some HTML, Including A Value in the Request</div>
+```
+
+### Security Considerations
+
+* The value of `hx-vals` must be valid [JSON](https://developer.mozilla.org/en-US/docs/Glossary/JSON). It is **not** dynamically computed, making it a safer alternative to [hx-vars](/attributes/hx-vars), especially when dealing with user input such as query strings or user-generated content, which could otherwise introduce a [Cross-Site Scripting (XSS)](https://owasp.org/www-community/attacks/xss/) vulnerability. 
+
+### Notes
+
+* `hx-vals` is inherited and can be placed on a parent element.
+* A child declaration of a variable overrides a parent declaration.
+* Input values with the same name will be overridden by variable declarations.