Is it your intention to have these weird pseudo-template strings skip over enclosing lexical scopes and go right to the global scope? What document does
function(document) { ... '....${...document...}...'.template() ... } access? With a genuine template string function(document) { ... `....${...document...}...` ... } it would access the lexically enclosing one, not the global one. Alternatively, if you use SES's confine[1] rather than new Function(...).call(...), the string would evaluate in an environment whose only bindings are the safe globals and the properties of the second argument to confine. [1] https://code.google.com/p/google-caja/source/browse/trunk/src/com/google/caja/ses/startSES.js#901 On Sun, Mar 22, 2015 at 7:58 AM, Mark S. Miller <erig...@google.com> wrote: > Why on earth are you avoiding strict mode? I can't even begin to think of > the hazards from handling a user-provided string to be parsed non-strict. > Nor should anyone bother; sloppy mode is a mess that should simply be > avoided for all new code -- especially in the careful handling of a user > provided string! > > > On Sun, Mar 22, 2015 at 7:50 AM, Mark Miller <erig...@gmail.com> wrote: > >> The pattern [\S\s]*? admits a lot. Why are you confident that it can't >> contain a string that, for example, closes the function with an unbalanced >> "}", then has an evil expression which evaluates, followed by an >> unbalanced "{" so the whole thing still parses? >> >> On Sun, Mar 22, 2015 at 7:38 AM, Andrea Giammarchi < >> andrea.giammar...@gmail.com> wrote: >> >>> Hi Mark, thanks for pointing that out but if I understand the problem >>> correctly then the snippet I've suggested concatenates strings and will >>> never produce those problematic syntax errors. Can I say it's still safe? >>> Or do you think it might have some problem in Safari? >>> >>> Cheers >>> >>> On Sun, Mar 22, 2015 at 11:28 AM, Mark S. Miller <erig...@google.com> >>> wrote: >>> >>>> >>>> >>>> On Sun, Mar 22, 2015 at 6:46 AM, Andrea Giammarchi < >>>> andrea.giammar...@gmail.com> wrote: >>>> >>>>> There's no such functionality indeed but you might want to have a look >>>>> at this gist: >>>>> https://gist.github.com/WebReflection/8f227532143e63649804 >>>>> >>>>> It gives you the ability to write `'test1 ${1 + 2} test2 ${3 + 4}' >>>>> .template();` and read `test1 3 test2 7` or to pass an object similar >>>>> to .Net String.format so that your Stack overflow code would be like the >>>>> following: >>>>> >>>>> ```js >>>>> >>>>> let a = "b:${b}"; >>>>> let b = 10; >>>>> >>>>> console.log(a.template({b:b})); >>>>> >>>>> // or >>>>> >>>>> console.log(a.template({b:27})); >>>>> >>>>> ``` >>>>> >>>>> You pass named properties and it works with nested properties too >>>>> (i.e. ${down.the.road}) >>>>> >>>>> It does use Function which is safe, >>>>> >>>> >>>> >>>> Function is safe almost everywhere, but it is worth pointing out >>>> >>>> https://bugs.webkit.org/show_bug.cgi?id=106160 >>>> https://bugs.webkit.org/show_bug.cgi?id=131137 >>>> test_CANT_SAFELY_VERIFY_SYNTAX at >>>> https://code.google.com/p/google-caja/source/browse/trunk/src/com/google/caja/ses/repairES5.js#3198 >>>> repair_CANT_SAFELY_VERIFY_SYNTAX at >>>> https://code.google.com/p/google-caja/source/browse/trunk/src/com/google/caja/ses/repairES5.js#4170 >>>> >>>> After the repair, the Function constructor is safe again on Safari, but >>>> at considerable expense. >>>> >>>> >>>> >>>> >>>>> compared to eval, and needed to eventually de-opt from 'use strict' >>>>> but of course you could write your own parser avoiding Function >>>>> completely. >>>>> >>>>> Finally, I agree it would be nice to be able to have a standard way to >>>>> template strings in JS, the templating as it is plays very poorly with >>>>> runtime generated strings, using eval for that looks the dirtiest thing on >>>>> earth. >>>>> >>>>> Regards >>>>> >>>>> >>>>> >>>>> On Sun, Mar 22, 2015 at 10:05 AM, KOLANICH <kola...@mail.ru> wrote: >>>>> >>>>>> I needed a functionality but haven't found it. >>>>>> See >>>>>> https://stackoverflow.com/questions/29182244/convert-a-string-to-a-template-string >>>>>> for more details. >>>>>> I think that this should be included into standard; >>>>>> >>>>>> >>>>>> Also we need a standard format string functionality like >>>>>> https://msdn.microsoft.com/en-us/library/system.string.format.aspx >>>>>> and <https://docs.python.org/2/library/string.html#string-formatting> >>>>>> https://docs.python.org/2/library/string.html#string-formatting >>>>>> >>>>>> _______________________________________________ >>>>>> es-discuss mailing list >>>>>> es-discuss@mozilla.org >>>>>> https://mail.mozilla.org/listinfo/es-discuss >>>>>> >>>>>> >>>>> >>>>> _______________________________________________ >>>>> es-discuss mailing list >>>>> es-discuss@mozilla.org >>>>> https://mail.mozilla.org/listinfo/es-discuss >>>>> >>>>> >>>> >>>> >>>> -- >>>> Cheers, >>>> --MarkM >>>> >>> >>> >>> _______________________________________________ >>> es-discuss mailing list >>> es-discuss@mozilla.org >>> https://mail.mozilla.org/listinfo/es-discuss >>> >>> >> >> >> -- >> Text by me above is hereby placed in the public domain >> >> Cheers, >> --MarkM >> > > > > -- > Cheers, > --MarkM > -- Cheers, --MarkM
_______________________________________________ es-discuss mailing list es-discuss@mozilla.org https://mail.mozilla.org/listinfo/es-discuss