What Limitations of CSP Have in Relation to XSS with HTMX?

[benjamin-kirkbride]

I have seen discussions in multiple places regarding HTMX (and Alpine.js) regarding XSS. Some examples:

• https://news.ycombinator.com/item?id=32158352
• https://htmx.org/docs/ (ctrl-f -> "XSS")
• https://htmx.org/attributes/hx-vars/
• https://htmx.org/attributes/hx-vals/
• https://htmx.org/attributes/hx-headers/

All of these examples give some context and info on how to mitigate these effects. My question is, is it exhaustive? Does the advice that follows each of the HTMX docs above constitute a complete set of instructions on how to avoid XSS?