Implicitly escaped $ (or not) in quasis?

gaz Heyes gazheyes at gmail.com
Thu Jun 28 02:45:47 PDT 2012


On 27 June 2012 15:59, Allen Wirfs-Brock <allen at wirfs-brock.com> wrote:
>
> I don't see why the above issue would be a problem with this quasi
proposal, as quasi do no implicit evals or implicit reevaluation of
substitution  values.
>
> Consider this code:
>
> var USER_INPUT = getUserInput();  // assume the value returned is
"${globalVariable}"
>
> var message = `USER_INPUT`;   //The value of message is the string
"USER_INPUT", no substitution occurred
>
> var messageWithSub =  `${USER_INPUT}`;  //The value of messageWithSub is
the string "${globalVariable}", literally.  No eval is performed.


I understand the syntax now and I was correct with my initial assumptions.
Although eval isn't performed on the placeholder text, you can access
variables from outside the scope intended. For example:

!function(){
var cookie=document.cookie, x =1;
func`${cookie}`;
}();

If an injection occurs within the Quasi-Literal then you can use unintended
variables because there is no strict definition of which variables
substitution should occur. I also wonder if the syntax is extended to
support access object properties if this is a further security risk.

!function(){
var x =1; //intended to use this variable
func`${arguments.callee.caller()}`;
func`${arguments[0]}`;
}();

It seems to me this is similar to having variable access inside string
literals and presents a real security risk even when a developer escapes a
quasi literal correctly.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20120628/75944e7e/attachment.html>


More information about the es-discuss mailing list