It even says so on the official website ( https://oauth.net/2/grant-types/implicit/ ) - astonishing that they can't get this right. Maybe says something about the product?
Entirely agree and we recommend using Auth Code+PKCE whenever possible. This post is intended to be the first of a few starting with the base spec. In the next one, I plan to go over the RFCs for JWT, Revocation, Inspection, PKCE, the AppAuth pattern, and probably a few others.
I am not sure about you, but as my career as a developer progressed I rely less on Stack Overflow today as I did in the past. To me it seems that this survey may have a strong bias.
The article doesn't actually talk about preventing injection attacks, but rather identifying potential attack surfaces by doing an AST search for eval/exec in combination with mutable variables. The article does not explain what limitations exist for their runtime check:
> This results in 5 false positives (out of 56 benign inputs), which are caused by limitations of the static analysis (3/5) or node types outside of the safe set (2/5).
Something being apparent (in a certain demographic) does not in any sense reduce the validity of scientific research in this area. There have been great papers on topics like these in the past, some of them even award-winning and read-worthy.
Read-worthy for anyone who was a bit high like me and did a double take (sorry if this is against etiquette, I don’t have anything substantial to add to what you said)
