On 27 June 2012 10:06, Brendan Eich <[email protected]> wrote: > What's the difference between > > `lit1 ${exp1} lit2 ${exp2} lit3` > > and > > sprintf("lit1 %s lit2 %s lit3", exp1, exp2) >
A list of variables would have to appear outside the backticks somehow like the earlier example using a function call. If not even context aware text could be used to expose variables and dom objects on the page if the developer allows content inside backticks. A developer will assume that a backtick is just another way to declare strings across multiple lines and will probably (in most cases) account for escaping backticks but will fail to account for variables being used inside backticks. Another thing to consider is in server side languages such as PHP backticks is an eval like construct and if a dev misplaces the backticks then instead of XSS they will have remote code execution. Also in IE a backtick is a valid attribute quote this would introduce new XSS vectors by reusing the existing backticks with an injection.
_______________________________________________ es-discuss mailing list [email protected] https://mail.mozilla.org/listinfo/es-discuss
