The pattern [\S\s]*? admits a lot. Why are you confident that it can't contain a string that, for example, closes the function with an unbalanced "}", then has an evil expression which evaluates, followed by an unbalanced "{" so the whole thing still parses?
On Sun, Mar 22, 2015 at 7:38 AM, Andrea Giammarchi < andrea.giammar...@gmail.com> wrote: > Hi Mark, thanks for pointing that out but if I understand the problem > correctly then the snippet I've suggested concatenates strings and will > never produce those problematic syntax errors. Can I say it's still safe? > Or do you think it might have some problem in Safari? > > Cheers > > On Sun, Mar 22, 2015 at 11:28 AM, Mark S. Miller <erig...@google.com> > wrote: > >> >> >> On Sun, Mar 22, 2015 at 6:46 AM, Andrea Giammarchi < >> andrea.giammar...@gmail.com> wrote: >> >>> There's no such functionality indeed but you might want to have a look >>> at this gist: https://gist.github.com/WebReflection/8f227532143e63649804 >>> >>> It gives you the ability to write `'test1 ${1 + 2} test2 ${3 + 4}' >>> .template();` and read `test1 3 test2 7` or to pass an object similar >>> to .Net String.format so that your Stack overflow code would be like the >>> following: >>> >>> ```js >>> >>> let a = "b:${b}"; >>> let b = 10; >>> >>> console.log(a.template({b:b})); >>> >>> // or >>> >>> console.log(a.template({b:27})); >>> >>> ``` >>> >>> You pass named properties and it works with nested properties too (i.e. >>> ${down.the.road}) >>> >>> It does use Function which is safe, >>> >> >> >> Function is safe almost everywhere, but it is worth pointing out >> >> https://bugs.webkit.org/show_bug.cgi?id=106160 >> https://bugs.webkit.org/show_bug.cgi?id=131137 >> test_CANT_SAFELY_VERIFY_SYNTAX at >> https://code.google.com/p/google-caja/source/browse/trunk/src/com/google/caja/ses/repairES5.js#3198 >> repair_CANT_SAFELY_VERIFY_SYNTAX at >> https://code.google.com/p/google-caja/source/browse/trunk/src/com/google/caja/ses/repairES5.js#4170 >> >> After the repair, the Function constructor is safe again on Safari, but >> at considerable expense. >> >> >> >> >>> compared to eval, and needed to eventually de-opt from 'use strict' but >>> of course you could write your own parser avoiding Function completely. >>> >>> Finally, I agree it would be nice to be able to have a standard way to >>> template strings in JS, the templating as it is plays very poorly with >>> runtime generated strings, using eval for that looks the dirtiest thing on >>> earth. >>> >>> Regards >>> >>> >>> >>> On Sun, Mar 22, 2015 at 10:05 AM, KOLANICH <kola...@mail.ru> wrote: >>> >>>> I needed a functionality but haven't found it. >>>> See >>>> https://stackoverflow.com/questions/29182244/convert-a-string-to-a-template-string >>>> for more details. >>>> I think that this should be included into standard; >>>> >>>> >>>> Also we need a standard format string functionality like >>>> https://msdn.microsoft.com/en-us/library/system.string.format.aspx and >>>> <https://docs.python.org/2/library/string.html#string-formatting> >>>> https://docs.python.org/2/library/string.html#string-formatting >>>> >>>> _______________________________________________ >>>> es-discuss mailing list >>>> es-discuss@mozilla.org >>>> https://mail.mozilla.org/listinfo/es-discuss >>>> >>>> >>> >>> _______________________________________________ >>> es-discuss mailing list >>> es-discuss@mozilla.org >>> https://mail.mozilla.org/listinfo/es-discuss >>> >>> >> >> >> -- >> Cheers, >> --MarkM >> > > > _______________________________________________ > es-discuss mailing list > es-discuss@mozilla.org > https://mail.mozilla.org/listinfo/es-discuss > > -- Text by me above is hereby placed in the public domain Cheers, --MarkM
_______________________________________________ es-discuss mailing list es-discuss@mozilla.org https://mail.mozilla.org/listinfo/es-discuss