Template strings as a template language.

Andrea Giammarchi andrea.giammarchi at gmail.com
Tue Sep 15 15:36:50 UTC 2015


I don't think there's any risk in using my initial gist based on `Function`
and `with` ... really. You should **never** pass within `${parts}` user
inputs, you just pas there a variable name, or you reach a property.

```js
var str = 'my ${gist}';
str.template({gist: 'window.alert(123)'});
// my window.alert(123)
```
The procedure is safe, it uses JSON per each surrounding string, and it
won't accept anything dangerous, unless you are the one passing templates
with dangerous stuff in them.
In few words, you can surely footgun yourself but only by your own, it's
your code.

However, if you leave users write template strings for you ... then I
believe the problem is not exactly Function but yeah, in such case I would
think some better tool that can parse properly template strings upfront so
there's no risk at all once already converted.


> I have the impression that people want to use features provided by
`eval`, `Function` or `with`, but without pronouncing these taboo words.

Yep, "somebody" once mentioned how evil are these things and his book is
still around (as well as his linter) ... people are scared just mentioning
those features, and use strict deprecating one of them didn't help neither.
I still hope there will be soon a replacement for `with` even in read only,
it was so handy in some case.

Best Regards




On Tue, Sep 15, 2015 at 4:08 PM, Thomas <thomasjamesfoster at bigpond.com>
wrote:

> > On 16 Sep 2015, at 12:39 AM, Claude Pache <claude.pache at gmail.com>
> wrote:
> >
> > That doesn't make much sense, because regexpes are first-class objects,
> while template literals are syntax.
> >
> > The nearest equivalent of the string-to-regexp feature is the
> string-to-code conversion facility provided by `eval` and `Function`.
> >
> > I have the impression that people want to use features provided by
> `eval`, `Function` or `with`, but without pronouncing these taboo words.
> > Just use them if you need to: at least you will be clear about what you
> are really doing.
>
> I would like to use a feature that today can only be achieved with `eval`,
> `with` or `Function`, but those three are hugely overpowered for the job
> (turning any old string into a template string). The 'taboo' about using
> eval, with and Function is  justified, and it'd be nice to not have to rely
> upon them.
>
> >
> > —Claude
> >
> > _______________________________________________
> > es-discuss mailing list
> > es-discuss at mozilla.org
> > https://mail.mozilla.org/listinfo/es-discuss
> _______________________________________________
> es-discuss mailing list
> es-discuss at mozilla.org
> https://mail.mozilla.org/listinfo/es-discuss
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20150915/6dee36b3/attachment.html>


More information about the es-discuss mailing list