Implicitly escaped $ (or not) in quasis?

gaz Heyes gazheyes at
Wed Jun 27 05:08:43 PDT 2012

On 27 June 2012 12:38, Brendan Eich <brendan at> wrote:

> You assume a developer will assume something. We need evidence.
> Lots of languages, e.g. CoffeeScript after Ruby, or bash after the Bourne
> shell (sh), use embedded expressions in ${...} or #{...} brackets in
> distinguished string (e.g., double-quoted strings).
> These languages don't obviously have more injection attacks based on
> failure to sanitize than languages with printf-style format strings. Indeed
> the mismatch problem makes the latter actually unsafe (even memory-unsafe)
> in too many languages.

I don't know how to provide evidence on a feature that doesn't exist yet
but here goes:

This has a XSS hole obviously but a dev wanted a multiline string from php
to JavaScript. Same thing could happen with this feature but if the php
variable was escaped correctly in the code sample to escape backticks then
it would still contain a XSS hole using a variable reference ${}.

> Another thing to consider is in server side languages such as PHP
> backticks is an eval like construct and if a dev misplaces the backticks
> then instead of XSS they will have remote code execution.
> Yes, that's a drag. We lack good options that anyone can type, though. If
> I recall correctly, an earlier proposal used
>  format "..."

I would prefer that syntax.

>  Also in IE a backtick is a valid attribute quote this would introduce new
>> XSS vectors by reusing the existing backticks with an injection.
> Insane. What version(s) of IE? You mean in HTML? That's not standard, of
> course it never was but with HTML5 and new IE releases, is this still
> supported?

<= IE9 and supported in IE10 using compat mode. You can also force a web
page into compat mode using a parent web page and a child iframe of a
target page.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the es-discuss mailing list