> would love to see more tooling to lint and sanitize them before deployment
Sanitisation is one of two possible defences, the other being script execution controls or sandboxing. E.g., if you serve vector images on a web server, set a Content Security Policy header¹ for all your images that simply denies all scripting. You can also run it from a dummy domain ('origin') with nothing valuable on it (like how domains such as googleusercontent.com and githubusercontent.com are being used)
For sanitisation, DOMPurify² is the only widely used and tested library that I know of. It could use more bindings for other languages but, if you can call into it, it can go in your deployment pipeline. (Disclosure: I've worked with some of the people at Cure53, but not on this project)
You can also combine the approaches for defence in depth
More than 200 hotels already on this website. Wouldn't this be much more useful as an OpenStreetMap tag so people can find and share these good/bad hotels in whatever front-end they like?
There does not seem to be a tag for it yet. That there are apparently hundreds of instances, and it being definitely something you'd want to select for, makes me think it's a good fit for OSM. Currently, hotels can already have tags like phone number, reception opening hours, WiFi fees, etc. It might even be a good fit for the toilets:* namespace, since this has overlap with toilets in (semi-)public spaces offering different levels of privacy
The list doesn't seem to be accurate. I looked at a few and found zero evidence of missing bathroom doors in reviews or photos. One even had a review complaining the bathroom door was broken and not closing fully... indicating it is actually there.
The website has no open data license so this isn't usable for OSM, even if we wanted to. I just meant to propose collaborating on an existing platform where we already have a lot of data about physical features, rather than erecting an ephemeral platform for this special purpose
Or if you need records other than A/AAAA, like MX for delivering email: https://anyz.one
e.g. 10.2.3.4.anyz.one will refer the recursive resolver to query 10.2.3.4 for the answer to the query. You can also buy a domain and configure it to do that, but this is quicker
> It’s been difficult to remove [old JPEG] from its perch. [...] the formats AVIF and HEIC, each developed by standards bodies, have largely outpaced [JPEG]
- JPEG has two advantages on slow connections: the dimensions are either stored up front so the layout doesn't jump, or maybe the renderer is better; and it loads a less-sharp version first and progressively gets sharper
- JPEG was way faster when compressing and decompressing
- on the particular photo I wanted to optimise in this instance, JPEG was also simply the best quality for a given filesize which really surprised me after 32 years of potential innovation
Regarding AVIF, my n=1 experience was that it "makes smooth gradients where jpeg degrades to blotchy pixels, but at decent quality levels, jpeg preserves the grain that makes the photo look real". Gradients instead of ugliness at really small sizes can be perfect for your use-case, but note that it's also ~80 times slower at compression (80s vs. <1s)
JpegXL isn't widely in browsers yet so I couldn't use it
> These days, the [JPEG] format is similar to MP3
The difference with mp3 is that Opus is either a bit better or much better, but it's always noticeably better.
You can save ~half the storage space. For speech (audio books) I use 40kbps, and for music maybe 128kbps which is probably overkill. And I delete the originals without even checking anymore if it really sounds the same, I noticed that I simply can't tell the original apart in a blind test, no matter what expensive headset setup I try
TFA attributes it to a simple "they were first" advantage, but I think this is why "Why JPEGs still rule the web": no file format is better than JPEG in the same way as Opus is better than MP3; in that you don't have to think about it anymore and it's always a win in either filesize or quality
That said, Opus is also annoyingly hard to get into people's minds, but I've done it and you also see major platforms from compress-once-serve-continuously video (e.g. Youtube) to VoIP (e.g. Whatsapp) switching over for all their audio applications
Was wondering what you meant so I looked up "the innerhtml problem" and the top result indeed does list quite a few issues with appending to innerHTML that can be easily avoided. For anyone else interested: https://stackoverflow.com/a/33995479/1201863
I knew changing innerHTML had some side effects, but this answer shows just how many corner cases it causes and offers a drop-in replacement at least for appending. Thought other developers on this site would also be interested to learn this
Deeper than the practical consequences in the answer is the fundamental issue of mixing code with data and operating on the DOM with plaintext HTML like that. It's an antipattern in general. Compare to eval() on JS. Or SQL injection.
(Not to say that there aren't valid use-cases e.g. when views may be loaded from remotes but if you're constructing the view on the client, best to avoid treating the DOM or its nodes as HTML)
I really like alternativeto. It's not always good: sometimes there are simply no good alternatives, or the community hasn't voted for the ones I'd have voted for and so a good option is way, way down. But if I want to know alternatives, I go there directly, so I guess that's maybe why people block it from appearing in random search results? I found it puzzling to see a useful site blocked (especially when I haven't seen it appear much in search results, but then, I've also been using DDG primarily, which ranks things rather differently)
I don't understand. Opening the page in a logged-out state, it looks the same to me (just that there are not buttons to pick whether you want to raise/lower/block a domain when you're logged out). What's the different view you mean?
If only it was merely useless. I know its reputation but it had some information that MDN did not have, so I used it this once in recent years. Turned out, the information was simply wrong and so I made a wrong decision based on that. (It might have been about favicon format support in different browsers. Presumably it was Safari that never had support for vector graphics whereas w3schools listed it as such, and it's not like you can just download Safari to double check.) Regardless, what I'm sure about is that I alerted them to whatever the problem was, but for me it was the last nail in that coffin
Sanitisation is one of two possible defences, the other being script execution controls or sandboxing. E.g., if you serve vector images on a web server, set a Content Security Policy header¹ for all your images that simply denies all scripting. You can also run it from a dummy domain ('origin') with nothing valuable on it (like how domains such as googleusercontent.com and githubusercontent.com are being used)
For sanitisation, DOMPurify² is the only widely used and tested library that I know of. It could use more bindings for other languages but, if you can call into it, it can go in your deployment pipeline. (Disclosure: I've worked with some of the people at Cure53, but not on this project)
You can also combine the approaches for defence in depth
¹ https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CSP
² https://github.com/cure53/DOMPurify