Is it your intention to have these weird pseudo-template strings skip over
enclosing lexical scopes and go right to the global scope? What document
does
function(document) {
...
'....${...document...}...'.template()
...
}
access? With a genuine template string
function(document) {
...
`....${...document...}...`
...
}
it would access the lexically enclosing one, not the global one.
Alternatively, if you use SES's confine[1] rather than new
Function(...).call(...), the string would evaluate in an environment whose
only bindings are the safe globals and the properties of the second
argument to confine.
[1]
https://code.google.com/p/google-caja/source/browse/trunk/src/com/google/caja/ses/startSES.js#901
On Sun, Mar 22, 2015 at 7:58 AM, Mark S. Miller <erig...@google.com> wrote:
> Why on earth are you avoiding strict mode? I can't even begin to think of
> the hazards from handling a user-provided string to be parsed non-strict.
> Nor should anyone bother; sloppy mode is a mess that should simply be
> avoided for all new code -- especially in the careful handling of a user
> provided string!
>
>
> On Sun, Mar 22, 2015 at 7:50 AM, Mark Miller <erig...@gmail.com> wrote:
>
>> The pattern [\S\s]*? admits a lot. Why are you confident that it can't
>> contain a string that, for example, closes the function with an unbalanced
>> "}", then has an evil expression which evaluates, followed by an
>> unbalanced "{" so the whole thing still parses?
>>
>> On Sun, Mar 22, 2015 at 7:38 AM, Andrea Giammarchi <
>> andrea.giammar...@gmail.com> wrote:
>>
>>> Hi Mark, thanks for pointing that out but if I understand the problem
>>> correctly then the snippet I've suggested concatenates strings and will
>>> never produce those problematic syntax errors. Can I say it's still safe?
>>> Or do you think it might have some problem in Safari?
>>>
>>> Cheers
>>>
>>> On Sun, Mar 22, 2015 at 11:28 AM, Mark S. Miller <erig...@google.com>
>>> wrote:
>>>
>>>>
>>>>
>>>> On Sun, Mar 22, 2015 at 6:46 AM, Andrea Giammarchi <
>>>> andrea.giammar...@gmail.com> wrote:
>>>>
>>>>> There's no such functionality indeed but you might want to have a look
>>>>> at this gist:
>>>>> https://gist.github.com/WebReflection/8f227532143e63649804
>>>>>
>>>>> It gives you the ability to write `'test1 ${1 + 2} test2 ${3 + 4}'
>>>>> .template();` and read `test1 3 test2 7` or to pass an object similar
>>>>> to .Net String.format so that your Stack overflow code would be like the
>>>>> following:
>>>>>
>>>>> ```js
>>>>>
>>>>> let a = "b:${b}";
>>>>> let b = 10;
>>>>>
>>>>> console.log(a.template({b:b}));
>>>>>
>>>>> // or
>>>>>
>>>>> console.log(a.template({b:27}));
>>>>>
>>>>> ```
>>>>>
>>>>> You pass named properties and it works with nested properties too
>>>>> (i.e. ${down.the.road})
>>>>>
>>>>> It does use Function which is safe,
>>>>>
>>>>
>>>>
>>>> Function is safe almost everywhere, but it is worth pointing out
>>>>
>>>> https://bugs.webkit.org/show_bug.cgi?id=106160
>>>> https://bugs.webkit.org/show_bug.cgi?id=131137
>>>> test_CANT_SAFELY_VERIFY_SYNTAX at
>>>> https://code.google.com/p/google-caja/source/browse/trunk/src/com/google/caja/ses/repairES5.js#3198
>>>> repair_CANT_SAFELY_VERIFY_SYNTAX at
>>>> https://code.google.com/p/google-caja/source/browse/trunk/src/com/google/caja/ses/repairES5.js#4170
>>>>
>>>> After the repair, the Function constructor is safe again on Safari, but
>>>> at considerable expense.
>>>>
>>>>
>>>>
>>>>
>>>>> compared to eval, and needed to eventually de-opt from 'use strict'
>>>>> but of course you could write your own parser avoiding Function
>>>>> completely.
>>>>>
>>>>> Finally, I agree it would be nice to be able to have a standard way to
>>>>> template strings in JS, the templating as it is plays very poorly with
>>>>> runtime generated strings, using eval for that looks the dirtiest thing on
>>>>> earth.
>>>>>
>>>>> Regards
>>>>>
>>>>>
>>>>>
>>>>> On Sun, Mar 22, 2015 at 10:05 AM, KOLANICH <kola...@mail.ru> wrote:
>>>>>
>>>>>> I needed a functionality but haven't found it.
>>>>>> See
>>>>>> https://stackoverflow.com/questions/29182244/convert-a-string-to-a-template-string
>>>>>> for more details.
>>>>>> I think that this should be included into standard;
>>>>>>
>>>>>>
>>>>>> Also we need a standard format string functionality like
>>>>>> https://msdn.microsoft.com/en-us/library/system.string.format.aspx
>>>>>> and <https://docs.python.org/2/library/string.html#string-formatting>
>>>>>> https://docs.python.org/2/library/string.html#string-formatting
>>>>>>
>>>>>> _______________________________________________
>>>>>> es-discuss mailing list
>>>>>> es-discuss@mozilla.org
>>>>>> https://mail.mozilla.org/listinfo/es-discuss
>>>>>>
>>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> es-discuss mailing list
>>>>> es-discuss@mozilla.org
>>>>> https://mail.mozilla.org/listinfo/es-discuss
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Cheers,
>>>> --MarkM
>>>>
>>>
>>>
>>> _______________________________________________
>>> es-discuss mailing list
>>> es-discuss@mozilla.org
>>> https://mail.mozilla.org/listinfo/es-discuss
>>>
>>>
>>
>>
>> --
>> Text by me above is hereby placed in the public domain
>>
>> Cheers,
>> --MarkM
>>
>
>
>
> --
> Cheers,
> --MarkM
>
--
Cheers,
--MarkM
_______________________________________________
es-discuss mailing list
es-discuss@mozilla.org
https://mail.mozilla.org/listinfo/es-discuss
