On 27 June 2012 15:59, Allen Wirfs-Brock <al...@wirfs-brock.com> wrote: > > I don't see why the above issue would be a problem with this quasi proposal, as quasi do no implicit evals or implicit reevaluation of substitution values. > > Consider this code: > > var USER_INPUT = getUserInput(); // assume the value returned is "${globalVariable}" > > var message = `USER_INPUT`; //The value of message is the string "USER_INPUT", no substitution occurred > > var messageWithSub = `${USER_INPUT}`; //The value of messageWithSub is the string "${globalVariable}", literally. No eval is performed.
I understand the syntax now and I was correct with my initial assumptions. Although eval isn't performed on the placeholder text, you can access variables from outside the scope intended. For example: !function(){ var cookie=document.cookie, x =1; func`${cookie}`; }(); If an injection occurs within the Quasi-Literal then you can use unintended variables because there is no strict definition of which variables substitution should occur. I also wonder if the syntax is extended to support access object properties if this is a further security risk. !function(){ var x =1; //intended to use this variable func`${arguments.callee.caller()}`; func`${arguments[0]}`; }(); It seems to me this is similar to having variable access inside string literals and presents a real security risk even when a developer escapes a quasi literal correctly.
_______________________________________________ es-discuss mailing list es-discuss@mozilla.org https://mail.mozilla.org/listinfo/es-discuss