Implicitly escaped $ (or not) in quasis?

gaz Heyes gazheyes at
Wed Jun 27 02:54:07 PDT 2012

On 27 June 2012 10:06, Brendan Eich <brendan at> wrote:

> What's the difference between
>  `lit1 ${exp1} lit2 ${exp2} lit3`
> and
>  sprintf("lit1 %s lit2 %s lit3", exp1, exp2)

A list of variables would have to appear outside the backticks somehow like
the earlier example using a function call. If not even context aware text
could be used to expose variables and dom objects on the page if the
developer allows content inside backticks. A developer will assume that a
backtick is just another way to declare strings across multiple lines and
will probably (in most cases) account for escaping backticks but will fail
to account for variables being used inside backticks.

Another thing to consider is in server side languages such as PHP backticks
is an eval like construct and if a dev misplaces the backticks then instead
of XSS they will have remote code execution. Also in IE a backtick is a
valid attribute quote this would introduce new XSS vectors by reusing the
existing backticks with an injection.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the es-discuss mailing list