Implicitly escaped $ (or not) in quasis?

gaz Heyes gazheyes at
Thu Jun 28 02:45:47 PDT 2012

On 27 June 2012 15:59, Allen Wirfs-Brock <allen at> wrote:
> I don't see why the above issue would be a problem with this quasi
proposal, as quasi do no implicit evals or implicit reevaluation of
substitution  values.
> Consider this code:
> var USER_INPUT = getUserInput();  // assume the value returned is
> var message = `USER_INPUT`;   //The value of message is the string
"USER_INPUT", no substitution occurred
> var messageWithSub =  `${USER_INPUT}`;  //The value of messageWithSub is
the string "${globalVariable}", literally.  No eval is performed.

I understand the syntax now and I was correct with my initial assumptions.
Although eval isn't performed on the placeholder text, you can access
variables from outside the scope intended. For example:

var cookie=document.cookie, x =1;

If an injection occurs within the Quasi-Literal then you can use unintended
variables because there is no strict definition of which variables
substitution should occur. I also wonder if the syntax is extended to
support access object properties if this is a further security risk.

var x =1; //intended to use this variable

It seems to me this is similar to having variable access inside string
literals and presents a real security risk even when a developer escapes a
quasi literal correctly.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the es-discuss mailing list