Hacker News: philo23

New comment by philo23 in "The woes of sanitizing SVGs"

philo23 — Mon, 27 Apr 2026 22:07:09 +0000

The main use case I was thinking of is being able to use an inline SVG, but with external resources inside of it (like say a CSS background image using url(...)) in such a way that it ends up loading that embedded content in a cross-origin anonymous way and blocking all embedded scripts. That way someone can't make requests to CSRF exploitable URLs by setting an embedded images to something like example.com/my-submission/favourite

But also so that setting up a CSS transform: scale(10000) can't take over the entire viewport, it'd be constrained to an iframe-like boundary (exactly like an ) but still remain as an inline SVG, sort of like an . So scripts on the parent/host HTML document can still manipulate it like the rest of the DOM, but the inner

Actually I don't know off the top of my head what happens with an SVG file inside of a when it references external images (either cross-domain or not.) I know scripts and animations get disabled, so I'd take a guess and say some CSS gets blocked too.

Again I've not really thought terribly hard about it, or if it's actually useful at all, and I'm betting it'd be filled with even more foot-guns than there are right now. I'm just thinking out loud.

New comment by philo23 in "The woes of sanitizing SVGs"

philo23 — Mon, 27 Apr 2026 19:36:41 +0000

> How can you prevent it from accessing a parent doc when its not a separate document.

By turning it into a document boundary when you use the sandbox attribute, kinda similar to loading an svg file inside of an tag.

and yeah you could get 90% of the way there with an iframe srcdoc, but I was imagining some kind of cross between an sandboxed into its own origin, and an where it still has its own intrinsic size.

but it was mainly just a throw away thought, I've not really thought it through much deeper than that.

New comment by philo23 in "The woes of sanitizing SVGs"

philo23 — Mon, 27 Apr 2026 16:33:31 +0000

It'd be nice if there was a sandbox attribute you could add to inline

I'm sure it'd just open up a whole other can of worms though... not to mention having to wait for browsers to actually support it.

The real solution here is definitely CSP + basic sanitisation though.

New comment by philo23 in "PHP 8.6 Closure Optimizations"

philo23 — Thu, 16 Apr 2026 18:05:16 +0000

Little bit of extra detail about static closures in PHP for anyone interested: https://www.php.net/manual/en/functions.anonymous.php#functi...

New comment by philo23 in "macOS 26 breaks custom DNS settings including .internal"

philo23 — Thu, 19 Mar 2026 17:21:16 +0000

Just tried it on my Mac and sadly it doesn’t seem like it. I’m still on Sequoia, so possibly it does it on Tahoe, but probably unlikely. That’s a shame.

It’d be nice if someone on the Safari team added this though to match Chrome and Firefox!

New comment by philo23 in "macOS 26 breaks custom DNS settings including .internal"

philo23 — Thu, 19 Mar 2026 17:00:17 +0000

It's not quite the same, but I've moved to using *.localhost for all my local web dev work. All modern browsers will resolve *.localhost to 127.0.0.1 internally. No need to setup any DNS resolvers or edit your hosts file.

But that only really helps you when you're dealing with websites in a browser, and when you want the address to resolve back to your local machine. So it wont help you with other programs like python/wget/etc or any calls you make to getaddrinfo()

New comment by philo23 in "Node.js needs a virtual file system"

philo23 — Wed, 18 Mar 2026 03:10:44 +0000

Little bit saddened the sqlite provider doesn't use the SQLite archive format under the hood. Seems like it'd be a good fit for what they're trying to achieve + give you an easy way to create/extract the files out of the virtual file system.

The sqlar schema is missing some of the info thats being stored atm, but there's nothing stopping you from adding your own fields/tables on top of the format, if anything the docs encourage it. It is just a sqlite database at the end of the day.

https://www.sqlite.org/sqlar.html

New comment by philo23 in "The Falkirk Wheel"

philo23 — Wed, 11 Feb 2026 16:30:21 +0000

I'm not sure why the Falkirk Wheel keeps getting posted to HN, but hey I'm not gonna complain!

I'll repost what I shared last time though, there's another much older boat lift on the canal network that solves a similar problem of transporting boats from the canal up and down to a river, but built with Victorian engineering instead (though it's been retrofitted a few times) called the Anderton Boat Lift, and it's worth a visit!

https://canalrivertrust.org.uk/things-to-do/museums-and-attr...

The UK's canal network as a whole is fantastic, and definitely worth a day out on if you've got the time.

New comment by philo23 in "Microsoft mishandling example.com"

philo23 — Fri, 23 Jan 2026 16:54:21 +0000

Just a guess but why do I get the feeling it’s because someone who setup sei.co.jp in Azure Entra (aka Azure AD) some how managed to add/claim the domain “example.com” against their companies tenant.

It’s clearly not using the DNS records for discovery because they don’t exist, the only other option I can see is some weird fall through or hard coded value and it seems like an odd one to pick.

New comment by philo23 in "Ask HN: What did you find out or explore today?"

philo23 — Thu, 15 Jan 2026 14:24:17 +0000

The relative date formats are super useful. It can get a bit confusing when there's timezones involved though.

https://www.php.net/manual/en/datetime.formats.php#datetime....

New comment by philo23 in "Find a pub that needs you"

philo23 — Thu, 15 Jan 2026 09:46:48 +0000

Yep, locally where I am there’s one postcode for all the houses on one side of the street (all the even numbered houses) and another for the opposite side (all the odd numbers.)

Presumably it helps a lot with validating the address is correct, kinda like a checksum, and also probably helps with how deliveries are organised by the local office before the postie is sent out with them all.

New comment by philo23 in "Find a pub that needs you"

philo23 — Wed, 14 Jan 2026 22:32:41 +0000

Kinda meta, but this is the first time in a long time where I've put only the first half of my postcode in expecting it not to work and been surprised. Most of these "find your nearest XYZ" site require the full postcode which is just unnecessary unless you're looking for a fairly precise location. A full postcode can narrow your location down to an individual street, so its nice not to give too much away if you can.

For anyone not in the know, UK postcodes are made up of two parts: a general area (the outward code) and then a more specific one (the inward code.) Generally speaking a postcode + house number will be good enough to get a letter delivered to the right place, though the sorting office might not be too happy with you...

The format [0] is roughly: AB12 3CD, though the number of letters/numbers on the left side can vary a bit. As far as I know the second set of numbers is always 1 digit though, so that's how you can easily split the two sides of it to format it nicely. There's a couple of special ones that break the rules though.

[0] https://en.wikipedia.org/wiki/Postcodes_in_the_United_Kingdo...

New comment by philo23 in "GBC Boot Animation 88×31 Web Button"

philo23 — Tue, 06 Jan 2026 17:20:59 +0000

My favourite thing about these is that nearly everyone just kind of agreed on using that same pixel font for the text on the right side.

New comment by philo23 in "Jeffgeerling.com has been migrated to Hugo"

philo23 — Sun, 04 Jan 2026 16:33:53 +0000

A long while ago I wrote a very simple static site generator for personal site, mainly just to play around with using GitHub/Cloudflare pages to host my personal site.

Then a couple of months ago I started comparing the big SSG tools after wanting something a bit less held together with duct tape... after a lot of experimenting I settled on 11ty at the time, but I really don't enjoy writing Liquid templates, and writing reusable components using Liquid felt very clumsy. I just wish it was much easier to use the JSX based templates with 11ty, but every step of the way feels like I'm working against the "proper" way to do things.

So over Christmas holiday I been playing around with NextJS SSG, and while it does basically everything I want (with some complicated caveats) I also can't help feel like I'm trying to use a oil rig to make a pilot hole when a drill would do just fine...

Anyone got any recommendations on something somewhere in between 11ty and NextJS? I'd love something that's structured similar to 11ty, but using JSX with SSG that then gets hydrated into full blown client side components.

The other thing I've been meaning to try is going back to something custom again, but built on top of something like Tempest [1] to do most the heavy lifting of generating static pages, but obviously that wouldn't help at all with client side components.

[1]: https://tempestphp.com

New comment by philo23 in "Using Git add -p for fun (and profit)"

philo23 — Sun, 14 Dec 2025 15:36:41 +0000

My two favourite bits of git add -p that aren't mentioned here:

the / (search) command to search unstaged hunks for a specific keyword rather than having to jump through all the individual changes you've made when there's lots.

and the e (edit) command to manually split out two changes that end up in one hunk that I'd rather have in individual commits.

New comment by philo23 in "Microsoft increases Office 365 and Microsoft 365 license prices"

philo23 — Tue, 09 Dec 2025 13:50:10 +0000

It's not exactly the same, but I definitely remember Microsoft releasing some kind of conversion tool around the start of Office 2007's life that could convert the newer XML based files into the older '03 compatible files. Or maybe it was the other way around... No idea if that tools still kicking around somewhere.

New comment by philo23 in "Firefox 147 Will Support the XDG Base Directory Specification"

philo23 — Thu, 20 Nov 2025 14:56:51 +0000

From that diff it looks to me that if ~/.mozilla exists OR if MOZ_LEGACY_HOME is set it uses ~/.mozilla, otherwise it uses the $XDG_CONFIG_HOME/.mozilla directory instead.

So no migration to the XDG directory, but also no throwing away your existing data either.

New comment by philo23 in "Steam Machine"

philo23 — Thu, 13 Nov 2025 02:25:17 +0000

I believe that was part of the original plan for Proton, but with the success of the Steam Deck that got shelved and it moved to a focus purely on Linux.

I don't think it's ever likely to return any time soon, but it'd be cool if it did. Valve seemingly have very little interest in macOS at the moment.

CodeWeavers work closely with Valve and the Wine project to improve compatibility with games, and Apple's own Game Porting Toolkit is based on CodeWeavers work on Wine too. So all the pieces are there in theory.

New comment by philo23 in "A stateful browser agent using self-healing DOM maps"

philo23 — Thu, 16 Oct 2025 13:02:23 +0000

Good to hear, that’s what I was hoping that it was doing.

New comment by philo23 in "A stateful browser agent using self-healing DOM maps"

philo23 — Thu, 16 Oct 2025 12:50:12 +0000

Maybe this is a lack of understanding on my part, but this bit of the explanation sets off alarm bells for me:

> Under the hood, we're building a client-sourced RAG for the DOM. An agent's first move on a page is to check a vector DB for a known "map." ... This creates a wild side-effect: the system is self-healing for everyone. One person's failed automation accidentally fixes it for the next hundred users.

I think I'd like to know exactly what kind of data is extracted from the DOM to build that shared map.