On 26 June 2012 17:19, Allen Wirfs-Brock <al...@wirfs-brock.com> wrote:
> I'm working on incorporating quasis into the ES6 draft and there is an > issue I want to discuss: > > In the wiki proposal[1] $ is used as the prefix for substitutions that > may be of two forms: > `xyz$foo 1234` //$foo substitues the value of the variable foo > `xyz${foo} 1234` ${expr} generally substitues the result of > evaluating expr, so ${foo} substitutes the value of foo > I have to say I disagree with the whole feature, this will introduce a new class of DOM based XSS attacks since developers in their infinite wisdom will use this feature to place user input inside multi-line strings. e.g. message = `USER_INPUT` and the attack being ${globalVariable}. A list of variable substitutions would mitigate that risk like how the printf function works but allowing any variable reference is a bad idea IMO. I would also like to see how the context aware escaping would work since in order to provide such a mechanism you would have to render the content at some point and the context could change and the user input could change when the content is rendered. The fact that CSS doesn't provide any way to safely escape user input in property names/values without fully white listing the whole specification I fail to see how a context aware escaping would work in that instance.
_______________________________________________ es-discuss mailing list es-discuss@mozilla.org https://mail.mozilla.org/listinfo/es-discuss