Unpoly enhances your HTML with attributes to build dynamic UI on the server. Unpoly works with any language or framework. It plays nice with existing code, and gracefully degrades without JavaScript.
The unpoly library allows to perform Same Origin HTTP requests and update the DOM using attributes. The following ones can be used:
The full list of attributes can be found here.
While this is limited to Same Origin HTTP requests, as it fetch, write, replaceHistory (update the URL), it will render the response as HTML no matter the response Content-Type. Because of this, it is possible to XSS using a simple PNG file.
Unfortunately, the preview isn’t possible as the lib triggers an error in srcdoc iframe.
<!DOCTYPE html> <!-- idk why quirks mode is required -->
<script src="https://unpkg.com/[email protected]/unpoly.min.js"></script>
<!-- user input -->
<a href="/endpoint-with-user-data" up-target="main">Click Me</a>
<main></main>Related links: