gaz Heyes wrote:
On 27 June 2012 10:06, Brendan Eich <[email protected]
<mailto:[email protected]>> wrote:
What's the difference between
`lit1 ${exp1} lit2 ${exp2} lit3`
and
sprintf("lit1 %s lit2 %s lit3", exp1, exp2)
A list of variables would have to appear outside the backticks somehow
like the earlier example using a function call. If not even context
aware text could be used to expose variables and dom objects on the
page if the developer allows content inside backticks. A developer
will assume that a backtick is just another way to declare strings
across multiple lines and will probably (in most cases) account for
escaping backticks but will fail to account for variables being used
inside backticks.
You assume a developer will assume something. We need evidence.
Lots of languages, e.g. CoffeeScript after Ruby, or bash after the
Bourne shell (sh), use embedded expressions in ${...} or #{...} brackets
in distinguished string (e.g., double-quoted strings).
These languages don't obviously have more injection attacks based on
failure to sanitize than languages with printf-style format strings.
Indeed the mismatch problem makes the latter actually unsafe (even
memory-unsafe) in too many languages.
Another thing to consider is in server side languages such as PHP
backticks is an eval like construct and if a dev misplaces the
backticks then instead of XSS they will have remote code execution.
Yes, that's a drag. We lack good options that anyone can type, though.
If I recall correctly, an earlier proposal used
format "..."
with format a contextual keyword. In that case one could even switch
from embedded ${...} expressions to printf-style trailing arguments, and
still have static checking that format specifier and trailing argument
counts agree. But then we don't get multiline strings, and the minimal
escape interpretation of quasis would be unexpected in anything double
(or single) quoted.
Also: PHP, really? Let's not cross the streams and degrade JS syntax
just in case. We would need evidence more than the hypothetical risk you
cite (I appreciate that you wrote "Another thing to consider", instead
of calling this an actual problem -- if you have evidence, please lay it
out here).
Also in IE a backtick is a valid attribute quote this would introduce
new XSS vectors by reusing the existing backticks with an injection.
Insane. What version(s) of IE? You mean in HTML? That's not standard, of
course it never was but with HTML5 and new IE releases, is this still
supported?
/be
_______________________________________________
es-discuss mailing list
[email protected]
https://mail.mozilla.org/listinfo/es-discuss
