Question:
Why do all static site generators (that I've tried, anyway) default to sanitizing HTML input? I'd never thought about it; I'd just labeled it as "preventing XSS attacks".
But, thinking about it now, a static site generator could never *have* an XSS vulnerability … unless a 3rd party can trigger a build through some sort of CI process. Is that what it's about?
Or is it just that static sites tend to use templating languages that are also used elsewhere?
🇳🇱
@codesections If you have an input form on a static site generator's page then where is the form even going? You don't have a backend.
The reason it would probably be a default is because you can use a static site generator to build front ends to systems. I'd argue the checking should be on the backend though.
I should also point out i never noticed this behavior on any of the SSG I used.
