On 27 June 2012 15:59, Allen Wirfs-Brock <al...@wirfs-brock.com> wrote:
>
> I don't see why the above issue would be a problem with this quasi
proposal, as quasi do no implicit evals or implicit reevaluation of
substitution values.
>
> Consider this code:
>
> var USER_INPUT = getUserInput(); // assume the value returned is
"${globalVariable}"
>
> var message = `USER_INPUT`; //The value of message is the string
"USER_INPUT", no substitution occurred
>
> var messageWithSub = `${USER_INPUT}`; //The value of messageWithSub is
the string "${globalVariable}", literally. No eval is performed.
I understand the syntax now and I was correct with my initial assumptions.
Although eval isn't performed on the placeholder text, you can access
variables from outside the scope intended. For example:
!function(){
var cookie=document.cookie, x =1;
func`${cookie}`;
}();
If an injection occurs within the Quasi-Literal then you can use unintended
variables because there is no strict definition of which variables
substitution should occur. I also wonder if the syntax is extended to
support access object properties if this is a further security risk.
!function(){
var x =1; //intended to use this variable
func`${arguments.callee.caller()}`;
func`${arguments[0]}`;
}();
It seems to me this is similar to having variable access inside string
literals and presents a real security risk even when a developer escapes a
quasi literal correctly.
_______________________________________________
es-discuss mailing list
es-discuss@mozilla.org
https://mail.mozilla.org/listinfo/es-discuss
