Converting strings to template strings

Mark S. Miller erights at google.com
Sun Mar 22 11:58:15 UTC 2015


Why on earth are you avoiding strict mode? I can't even begin to think of
the hazards from handling a user-provided string to be parsed non-strict.
Nor should anyone bother; sloppy mode is a mess that should simply be
avoided for all new code -- especially in the careful handling of a user
provided string!


On Sun, Mar 22, 2015 at 7:50 AM, Mark Miller <erights at gmail.com> wrote:

> The pattern  [\S\s]*? admits a lot. Why are you confident that it can't
> contain a string that, for example, closes the function with an unbalanced
> "}", then  has an evil expression which evaluates, followed by an
> unbalanced "{" so the whole thing still parses?
>
> On Sun, Mar 22, 2015 at 7:38 AM, Andrea Giammarchi <
> andrea.giammarchi at gmail.com> wrote:
>
>> Hi Mark, thanks for pointing that out but if I understand the problem
>> correctly then the snippet I've suggested concatenates strings and will
>> never produce those problematic syntax errors. Can I say it's still safe?
>> Or do you think it might have some problem in Safari?
>>
>> Cheers
>>
>> On Sun, Mar 22, 2015 at 11:28 AM, Mark S. Miller <erights at google.com>
>> wrote:
>>
>>>
>>>
>>> On Sun, Mar 22, 2015 at 6:46 AM, Andrea Giammarchi <
>>> andrea.giammarchi at gmail.com> wrote:
>>>
>>>> There's no such functionality indeed but you might want to have a look
>>>> at this gist:
>>>> https://gist.github.com/WebReflection/8f227532143e63649804
>>>>
>>>> It gives you the ability to write `'test1 ${1 + 2} test2 ${3 + 4}'
>>>> .template();` and read `test1 3 test2 7` or to pass an object similar
>>>> to .Net String.format so that your Stack overflow code would be like the
>>>> following:
>>>>
>>>> ```js
>>>>
>>>> let a = "b:${b}";
>>>> let b = 10;
>>>>
>>>> console.log(a.template({b:b}));
>>>>
>>>> // or
>>>>
>>>> console.log(a.template({b:27}));
>>>>
>>>> ```
>>>>
>>>> You pass named properties and it works with nested properties too (i.e.
>>>> ${down.the.road})
>>>>
>>>> It does use Function which is safe,
>>>>
>>>
>>>
>>> Function is safe almost everywhere, but it is worth pointing out
>>>
>>> https://bugs.webkit.org/show_bug.cgi?id=106160
>>> https://bugs.webkit.org/show_bug.cgi?id=131137
>>> test_CANT_SAFELY_VERIFY_SYNTAX at
>>> https://code.google.com/p/google-caja/source/browse/trunk/src/com/google/caja/ses/repairES5.js#3198
>>> repair_CANT_SAFELY_VERIFY_SYNTAX at
>>> https://code.google.com/p/google-caja/source/browse/trunk/src/com/google/caja/ses/repairES5.js#4170
>>>
>>> After the repair, the Function constructor is safe again on Safari, but
>>> at considerable expense.
>>>
>>>
>>>
>>>
>>>> compared to eval, and needed to eventually de-opt from 'use strict' but
>>>> of course you could write your own parser avoiding Function completely.
>>>>
>>>> Finally, I agree it would be nice to be able to have a standard way to
>>>> template strings in JS, the templating as it is plays very poorly with
>>>> runtime generated strings, using eval for that looks the dirtiest thing on
>>>> earth.
>>>>
>>>> Regards
>>>>
>>>>
>>>>
>>>> On Sun, Mar 22, 2015 at 10:05 AM, KOLANICH <kolan_n at mail.ru> wrote:
>>>>
>>>>> I needed a functionality but haven't found it.
>>>>> See
>>>>> https://stackoverflow.com/questions/29182244/convert-a-string-to-a-template-string
>>>>> for more details.
>>>>> I think that this should be included into standard;
>>>>>
>>>>>
>>>>> Also we need a standard format string functionality like
>>>>> https://msdn.microsoft.com/en-us/library/system.string.format.aspx
>>>>> and <https://docs.python.org/2/library/string.html#string-formatting>
>>>>> https://docs.python.org/2/library/string.html#string-formatting
>>>>>
>>>>> _______________________________________________
>>>>> es-discuss mailing list
>>>>> es-discuss at mozilla.org
>>>>> https://mail.mozilla.org/listinfo/es-discuss
>>>>>
>>>>>
>>>>
>>>> _______________________________________________
>>>> es-discuss mailing list
>>>> es-discuss at mozilla.org
>>>> https://mail.mozilla.org/listinfo/es-discuss
>>>>
>>>>
>>>
>>>
>>> --
>>>     Cheers,
>>>     --MarkM
>>>
>>
>>
>> _______________________________________________
>> es-discuss mailing list
>> es-discuss at mozilla.org
>> https://mail.mozilla.org/listinfo/es-discuss
>>
>>
>
>
> --
> Text by me above is hereby placed in the public domain
>
>   Cheers,
>   --MarkM
>



-- 
    Cheers,
    --MarkM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20150322/3fa11039/attachment.html>


More information about the es-discuss mailing list