Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Server side includes are still the perfect amount of power if you want to do templating stuff like comments.html footer.html or right_menu.html includes across all site pages. And the attack surface is so minimal and code so stable there's basically no increased risk using SSI over just html with nginx and similar webservers.


Ah but! The problem is SSI includes the bang directive, which outputs the results of a shell command.

Once that's available, people will demand and abuse it, and we're back at cgi-bin.


> SSI includes the bang directive,

Not in ngx_http_ssi_module or any modern webserver I've used? As for "people"? What people? I guess your implicit assumption is this is a group or commercial project? I was thinking more website made by a human person.


https://httpd.apache.org/docs/current/howto/ssi.html

(I've still never seen the need to switch to more trendy web servers, so they may well have disabled exec)


But can you write Doom with SSI?


I suppose in theory.

Pass the button press of the clicked button iframe to a headless version of the game.

Capture and transfer the output to an transparent png back via an http meta refresh in another iframe.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: