Implicitly escaped $ (or not) in quasis?

Brendan Eich brendan at mozilla.org
Wed Jun 27 04:38:00 PDT 2012


gaz Heyes wrote:
> On 27 June 2012 10:06, Brendan Eich <brendan at mozilla.org 
> <mailto:brendan at mozilla.org>> wrote:
>
>     What's the difference between
>
>      `lit1 ${exp1} lit2 ${exp2} lit3`
>
>     and
>
>      sprintf("lit1 %s lit2 %s lit3", exp1, exp2)
>
>
> A list of variables would have to appear outside the backticks somehow 
> like the earlier example using a function call. If not even context 
> aware text could be used to expose variables and dom objects on the 
> page if the developer allows content inside backticks. A developer 
> will assume that a backtick is just another way to declare strings 
> across multiple lines and will probably (in most cases) account for 
> escaping backticks but will fail to account for variables being used 
> inside backticks.

You assume a developer will assume something. We need evidence.

Lots of languages, e.g. CoffeeScript after Ruby, or bash after the 
Bourne shell (sh), use embedded expressions in ${...} or #{...} brackets 
in distinguished string (e.g., double-quoted strings).

These languages don't obviously have more injection attacks based on 
failure to sanitize than languages with printf-style format strings. 
Indeed the mismatch problem makes the latter actually unsafe (even 
memory-unsafe) in too many languages.


> Another thing to consider is in server side languages such as PHP 
> backticks is an eval like construct and if a dev misplaces the 
> backticks then instead of XSS they will have remote code execution.

Yes, that's a drag. We lack good options that anyone can type, though. 
If I recall correctly, an earlier proposal used

   format "..."

with format a contextual keyword. In that case one could even switch 
from embedded ${...} expressions to printf-style trailing arguments, and 
still have static checking that format specifier and trailing argument 
counts agree. But then we don't get multiline strings, and the minimal 
escape interpretation of quasis would be unexpected in anything double 
(or single) quoted.

Also: PHP, really? Let's not cross the streams and degrade JS syntax 
just in case. We would need evidence more than the hypothetical risk you 
cite (I appreciate that you wrote "Another thing to consider", instead 
of calling this an actual problem -- if you have evidence, please lay it 
out here).

> Also in IE a backtick is a valid attribute quote this would introduce 
> new XSS vectors by reusing the existing backticks with an injection.

Insane. What version(s) of IE? You mean in HTML? That's not standard, of 
course it never was but with HTML5 and new IE releases, is this still 
supported?

/be


More information about the es-discuss mailing list