Implicitly escaped $ (or not) in quasis?
Brendan Eich
brendan at mozilla.org
Wed Jun 27 04:38:00 PDT 2012
gaz Heyes wrote:
> On 27 June 2012 10:06, Brendan Eich <brendan at mozilla.org
> <mailto:brendan at mozilla.org>> wrote:
>
> What's the difference between
>
> `lit1 ${exp1} lit2 ${exp2} lit3`
>
> and
>
> sprintf("lit1 %s lit2 %s lit3", exp1, exp2)
>
>
> A list of variables would have to appear outside the backticks somehow
> like the earlier example using a function call. If not even context
> aware text could be used to expose variables and dom objects on the
> page if the developer allows content inside backticks. A developer
> will assume that a backtick is just another way to declare strings
> across multiple lines and will probably (in most cases) account for
> escaping backticks but will fail to account for variables being used
> inside backticks.
You assume a developer will assume something. We need evidence.
Lots of languages, e.g. CoffeeScript after Ruby, or bash after the
Bourne shell (sh), use embedded expressions in ${...} or #{...} brackets
in distinguished string (e.g., double-quoted strings).
These languages don't obviously have more injection attacks based on
failure to sanitize than languages with printf-style format strings.
Indeed the mismatch problem makes the latter actually unsafe (even
memory-unsafe) in too many languages.
> Another thing to consider is in server side languages such as PHP
> backticks is an eval like construct and if a dev misplaces the
> backticks then instead of XSS they will have remote code execution.
Yes, that's a drag. We lack good options that anyone can type, though.
If I recall correctly, an earlier proposal used
format "..."
with format a contextual keyword. In that case one could even switch
from embedded ${...} expressions to printf-style trailing arguments, and
still have static checking that format specifier and trailing argument
counts agree. But then we don't get multiline strings, and the minimal
escape interpretation of quasis would be unexpected in anything double
(or single) quoted.
Also: PHP, really? Let's not cross the streams and degrade JS syntax
just in case. We would need evidence more than the hypothetical risk you
cite (I appreciate that you wrote "Another thing to consider", instead
of calling this an actual problem -- if you have evidence, please lay it
out here).
> Also in IE a backtick is a valid attribute quote this would introduce
> new XSS vectors by reusing the existing backticks with an injection.
Insane. What version(s) of IE? You mean in HTML? That's not standard, of
course it never was but with HTML5 and new IE releases, is this still
supported?
/be
More information about the es-discuss
mailing list