Implicitly escaped $ (or not) in quasis?

gaz Heyes gazheyes at gmail.com
Wed Jun 27 01:49:42 PDT 2012


On 26 June 2012 17:19, Allen Wirfs-Brock <allen at wirfs-brock.com> wrote:

> I'm working on incorporating quasis into the ES6 draft and there is an
> issue I want to discuss:
>
> In the wiki proposal[1]  $  is used as the prefix for substitutions that
> may be of two forms:
>    `xyz$foo 1234`      //$foo substitues the value of the variable foo
>    `xyz${foo} 1234`    ${expr} generally substitues the result of
> evaluating expr, so ${foo} substitutes the value of foo
>

I have to say I disagree with the whole feature, this will introduce a new
class of DOM based XSS attacks since developers in their infinite wisdom
will use this feature to place user input inside multi-line strings. e.g.
message = `USER_INPUT` and the attack being ${globalVariable}. A list of
variable substitutions would mitigate that risk like how the printf
function works but allowing any variable reference is a bad idea IMO. I
would also like to see how the context aware escaping would work since in
order to provide such a mechanism you would have to render the content at
some point and the context could change and the user input could change
when the content is rendered. The fact that CSS doesn't provide any way to
safely escape user input in property names/values without fully white
listing the whole specification I fail to see how a context aware escaping
would work in that instance.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20120627/d75cd10c/attachment.html>


More information about the es-discuss mailing list