Proposal: drop htmx #14750

New Issue

Open

opened 2025-11-02 11:21:58 -06:00 by GiteaMirror · 8 comments

GiteaMirror commented 2025-11-02 11:21:58 -06:00

Owner

Copy Link

Originally created by @wxiaoguang on GitHub (Jul 12, 2025).

htmx is fun and handy for a small project, but it doesn't work well for a large one.

I can see some fundamental problems due to its fragile design:

1. It supports automatically sending POST methods, but it doesn't support CSP nonce.
   • It makes the website under the XSS-like risk, attacker can inject and execute tags with hx-xxx attributes even if the CSP nonce is used
2. It has unclear behaviors, e.g.: when reading a hx-xxx on an element, we are not able to know what happens in its parents
   • https://github.com/bigskysoftware/htmx/issues/2515
3. Its loading & initialization behavior is quite strange, and unlikely to be fixed
   • https://github.com/bigskysoftware/htmx/pull/3365
4. Its "hx script" support is fragile and unable to lint
5. Developers should always remember to call htmx.process when modifying innerHTML/outerHTML, but it is frequently forgotten
   • #33851
   • I added the htmx.process in #35010 (a646b328b8)

And its size is similar to jQuery (not trivial), in Gitea's code base, we only use very a few of htmx's features, which can be implement by ourselves with a better design.

Originally created by @wxiaoguang on GitHub (Jul 12, 2025). htmx is fun and handy for a small project, but it doesn't work well for a large one. I can see some fundamental problems due to its fragile design: 1. It supports automatically sending POST methods, but it doesn't support CSP nonce. * It makes the website under the XSS-like risk, attacker can inject and execute tags with `hx-xxx` attributes even if the CSP nonce is used 2. It has unclear behaviors, e.g.: when reading a `hx-xxx` on an element, we are not able to know what happens in its parents * `https://github.com/bigskysoftware/htmx/issues/2515` 3. Its loading & initialization behavior is quite strange, and unlikely to be fixed * `https://github.com/bigskysoftware/htmx/pull/3365` 4. Its "hx script" support is fragile and unable to lint 5. Developers should always remember to call `htmx.process` when modifying `innerHTML/outerHTML`, but it is frequently forgotten * #33851 * I added the `htmx.process` in #35010 (https://github.com/go-gitea/gitea/commit/a646b328b8ca79fc052c162fdcf0929a4d49e060) And its size is similar to jQuery (not trivial), in Gitea's code base, we only use very a few of htmx's features, which can be implement by ourselves with a better design.

GiteaMirror added the type/proposal label 2025-11-02 11:21:58 -06:00

GiteaMirror commented 2025-11-02 11:21:59 -06:00

Author

Owner

Copy Link

@stuzer05 commented on GitHub (Jul 12, 2025):

Is it possible te make entire UI in vue as single app?

@stuzer05 commented on GitHub (Jul 12, 2025): Is it possible te make entire UI in vue as single app?

GiteaMirror commented 2025-11-02 11:21:59 -06:00

Author

Owner

Copy Link

@lunny commented on GitHub (Jul 12, 2025):

Is it possible te make entire UI in vue as single app?

I think it’s reasonable to use SPA for settings and admin pages, but not for publicly accessible pages, for the following key reasons:

• SPA increases initial loading time, which can negatively affect user experience.
• It’s not SEO-friendly, making public content harder to index and discover.
• It requires significant effort, but the benefits are unclear.

Therefore, I suggest we rewrite the current HTMX-based components using Vue - but only for these pages, not the entire site.

@lunny commented on GitHub (Jul 12, 2025): > Is it possible te make entire UI in vue as single app? I think it’s reasonable to use SPA for settings and admin pages, but not for publicly accessible pages, for the following key reasons: - SPA increases initial loading time, which can negatively affect user experience. - It’s not SEO-friendly, making public content harder to index and discover. - It requires significant effort, but the benefits are unclear. Therefore, I suggest we rewrite the current HTMX-based components using Vue - but only for these pages, not the entire site.

GiteaMirror commented 2025-11-02 11:22:00 -06:00

Author

Owner

Copy Link

@wxiaoguang commented on GitHub (Jul 15, 2025):

cc @silverwind @yardenshoham

@wxiaoguang commented on GitHub (Jul 15, 2025): cc @silverwind @yardenshoham

GiteaMirror commented 2025-11-02 11:22:00 -06:00

Author

Owner

Copy Link

@yardenshoham commented on GitHub (Jul 15, 2025):

I think it adds enough value to the end-user to be worth the maintenance burden. I also recognize there is a maintenance burden, and it looks like I am the only one comfortable with it. For that reason, I will not block an htmx removal effort.

@yardenshoham commented on GitHub (Jul 15, 2025): I think it adds enough value to the end-user to be worth the maintenance burden. I also recognize there is a maintenance burden, and it looks like I am the only one comfortable with it. For that reason, I will not block an `htmx` removal effort.

GiteaMirror commented 2025-11-02 11:22:00 -06:00

Author

Owner

Copy Link

@wxiaoguang commented on GitHub (Jul 15, 2025):

Yep, it does add enough value, and I think "which can be implement by ourselves with a better design", then no maintenance burden.

@wxiaoguang commented on GitHub (Jul 15, 2025): Yep, it does add enough value, and I think "which can be implement by ourselves with a better design", then no maintenance burden.

GiteaMirror commented 2025-11-02 11:22:00 -06:00

Author

Owner

Copy Link

@silverwind commented on GitHub (Jul 15, 2025):

I never liked it. It's designed for the use case of js-less apps, but we have js and we can do better.

@silverwind commented on GitHub (Jul 15, 2025): I never liked it. It's designed for the use case of js-less apps, but we have js and we can do better.

GiteaMirror commented 2025-11-02 11:22:01 -06:00

Author

Owner

Copy Link

@ptman commented on GitHub (Oct 27, 2025):

htmx does support CSP nonce, check out e.g. inlineScriptNonce. But I'm not going to maintain htmx in gitea, so maintainers will decide what they want to maintain.

@ptman commented on GitHub (Oct 27, 2025): htmx does support CSP nonce, check out e.g. inlineScriptNonce. But I'm not going to maintain htmx in gitea, so maintainers will decide what they want to maintain.

GiteaMirror commented 2025-11-02 11:22:01 -06:00

Author

Owner

Copy Link

@wxiaoguang commented on GitHub (Oct 27, 2025):

htmx does support CSP nonce, check out e.g. inlineScriptNonce. But I'm not going to maintain htmx in gitea, so maintainers will decide what they want to maintain.

• Content-Security-Policy nonce: it is designed to prevent the untrusted scripts from executing
• htmx's inlineScriptNonce: it only adds "nonce" to inline script tags
• htmx's "hx script": it executes the untrusted scripts injected by attackers even if Content-Security-Policy nonce doesn't allow

Overall, htmx's design doesn't look right.

@wxiaoguang commented on GitHub (Oct 27, 2025): > htmx does support CSP nonce, check out e.g. inlineScriptNonce. But I'm not going to maintain htmx in gitea, so maintainers will decide what they want to maintain. * Content-Security-Policy nonce: it is designed to prevent the untrusted scripts from executing * htmx's inlineScriptNonce: it only adds "nonce" to inline script tags * htmx's "hx script": it executes the untrusted scripts injected by attackers even if Content-Security-Policy nonce doesn't allow Overall, htmx's design doesn't look right.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

release/v1.25

release/v1.24

release/v1.23

release/v1.22

release/v1.21

release/v1.20

release/v1.19

release/v1.18

release/v1.17

release/v1.16

release/v1.15

release/v1.14

release/v1.13

release/v1.12

release/v1.11

release/v1.10

release/v1.9

release/v1.8

v1.25.3

v1.25.2

v1.25.1

v1.25.0

v1.24.7

v1.25.0-rc0

v1.26.0-dev

v1.24.6

v1.24.5

v1.24.4

v1.24.3

v1.24.2

v1.24.1

v1.24.0

v1.23.8

v1.24.0-rc0

v1.25.0-dev

v1.23.7

v1.23.6

v1.23.5

v1.23.4

v1.23.3

v1.23.2

v1.23.1

v1.23.0

v1.23.0-rc0

v1.24.0-dev

v1.22.6

v1.22.5

v1.22.4

v1.22.3

v1.22.2

v1.22.1

v1.22.0

v1.23.0-dev

v1.22.0-rc1

v1.21.11

v1.22.0-rc0

v1.21.10

v1.21.9

v1.21.8

v1.21.7

v1.21.6

v1.21.5

v1.21.4

v1.21.3

v1.21.2

v1.20.6

v1.21.1

v1.21.0

v1.21.0-rc2

v1.21.0-rc1

v1.20.5

v1.22.0-dev

v1.21.0-rc0

v1.20.4

v1.20.3

v1.20.2

v1.20.1

v1.20.0

v1.19.4

v1.21.0-dev

v1.20.0-rc2

v1.20.0-rc1

v1.20.0-rc0

v1.19.3

v1.19.2

v1.19.1

v1.19.0

v1.19.0-rc1

v1.20.0-dev

v1.19.0-rc0

v1.18.5

v1.18.4

v1.18.3

v1.18.2

v1.18.1

v1.18.0

v1.17.4

v1.18.0-rc1

v1.19.0-dev

v1.18.0-rc0

v1.17.3

v1.17.2

v1.17.1

v1.17.0

v1.17.0-rc2

v1.16.9

v1.17.0-rc1

v1.18.0-dev

v1.16.8

v1.16.7

v1.16.6

v1.16.5

v1.16.4

v1.16.3

v1.16.2

v1.16.1

v1.16.0

v1.15.11

v1.17.0-dev

v1.16.0-rc1

v1.15.10

v1.15.9

v1.15.8

v1.15.7

v1.15.6

v1.15.5

v1.15.4

v1.15.3

v1.15.2

v1.15.1

v1.14.7

v1.15.0

v1.15.0-rc3

v1.14.6

v1.15.0-rc2

v1.14.5

v1.16.0-dev

v1.15.0-rc1

v1.14.4

v1.14.3

v1.14.2

v1.14.1

v1.14.0

v1.13.7

v1.14.0-rc2

v1.13.6

v1.13.5

v1.14.0-rc1

v1.15.0-dev

v1.13.4

v1.13.3

v1.13.2

v1.13.1

v1.13.0

v1.12.6

v1.13.0-rc2

v1.14.0-dev

v1.13.0-rc1

v1.12.5

v1.12.4

v1.12.3

v1.12.2

v1.12.1

v1.11.8

v1.12.0

v1.11.7

v1.12.0-rc2

v1.11.6

v1.12.0-rc1

v1.13.0-dev

v1.11.5

v1.11.4

v1.11.3

v1.10.6

v1.12.0-dev

v1.11.2

v1.10.5

v1.11.1

v1.10.4

v1.11.0

v1.11.0-rc2

v1.10.3

v1.11.0-rc1

v1.10.2

v1.10.1

v1.10.0

v1.9.6

v1.9.5

v1.10.0-rc2

v1.11.0-dev

v1.10.0-rc1

v1.9.4

v1.9.3

v1.9.2

v1.9.1

v1.9.0

v1.9.0-rc2

v1.10.0-dev

v1.9.0-rc1

v1.8.3

v1.8.2

v1.8.1

v1.8.0

v1.8.0-rc3

v1.7.6

v1.8.0-rc2

v1.7.5

v1.8.0-rc1

v1.9.0-dev

v1.7.4

v1.7.3

v1.7.2

v1.7.1

v1.7.0

v1.7.0-rc3

v1.6.4

v1.7.0-rc2

v1.6.3

v1.7.0-rc1

v1.7.0-dev

v1.6.2

v1.6.1

v1.6.0

v1.6.0-rc2

v1.5.3

v1.6.0-rc1

v1.6.0-dev

v1.5.2

v1.5.1

v1.5.0

v1.5.0-rc2

v1.5.0-rc1

v1.5.0-dev

v1.4.3

v1.4.2

v1.4.1

v1.4.0

v1.4.0-rc3

v1.4.0-rc2

v1.3.3

v1.4.0-rc1

v1.3.2

v1.3.1

v1.3.0

v1.3.0-rc2

v1.3.0-rc1

v1.2.3

v1.2.2

v1.2.1

v1.2.0

v1.2.0-rc3

v1.2.0-rc2

v1.1.4

v1.2.0-rc1

v1.1.3

v1.1.2

v1.1.1

v1.1.0

v1.0.2

v1.0.1

v1.0.0

v0.9.99

Labels

Clear labels

$20

$250

$50

$500

backport/done

💎 Bounty

docs-update-needed

good first issue

hacktoberfest

issue/bounty

issue/confirmed

issue/critical

issue/duplicate

issue/needs-feedback

issue/not-a-bug

issue/regression

issue/stale

issue/workaround

lgtm/need 2

modifies/api

modifies/translation

outdated/backport/v1.18

outdated/theme/markdown

outdated/theme/timetracker

performance/bigrepo

performance/cpu

performance/memory

performance/speed

pr/breaking

proposal/accepted

proposal/rejected

pr/wip

pull-request

Mirrored from GitHub Pull Request

reviewed/wontfix

💰 Rewarded

skip-changelog

status/blocked

topic/accessibility

topic/api

topic/authentication

topic/build

topic/code-linting

topic/commit-signing

topic/content-rendering

topic/deployment

topic/distribution

topic/federation

topic/gitea-actions

topic/issues

topic/lfs

topic/mobile

topic/moderation

topic/packages

topic/pr

topic/projects

topic/repo

topic/repo-migration

topic/security

topic/theme

topic/ui

topic/ui-interaction

topic/ux

topic/webhooks

topic/wiki

type/bug

type/deprecation

type/docs

type/enhancement

type/feature

type/miscellaneous

type/proposal

type/question

type/refactoring

type/summary

type/testing

type/upstream

No Label type/proposal

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/gitea#14750