Why on earth are you avoiding strict mode? I can't even begin to think of the hazards from handling a user-provided string to be parsed non-strict. Nor should anyone bother; sloppy mode is a mess that should simply be avoided for all new code -- especially in the careful handling of a user provided string!
On Sun, Mar 22, 2015 at 7:50 AM, Mark Miller <[email protected]> wrote: > The pattern [\S\s]*? admits a lot. Why are you confident that it can't > contain a string that, for example, closes the function with an unbalanced > "}", then has an evil expression which evaluates, followed by an > unbalanced "{" so the whole thing still parses? > > On Sun, Mar 22, 2015 at 7:38 AM, Andrea Giammarchi < > [email protected]> wrote: > >> Hi Mark, thanks for pointing that out but if I understand the problem >> correctly then the snippet I've suggested concatenates strings and will >> never produce those problematic syntax errors. Can I say it's still safe? >> Or do you think it might have some problem in Safari? >> >> Cheers >> >> On Sun, Mar 22, 2015 at 11:28 AM, Mark S. Miller <[email protected]> >> wrote: >> >>> >>> >>> On Sun, Mar 22, 2015 at 6:46 AM, Andrea Giammarchi < >>> [email protected]> wrote: >>> >>>> There's no such functionality indeed but you might want to have a look >>>> at this gist: >>>> https://gist.github.com/WebReflection/8f227532143e63649804 >>>> >>>> It gives you the ability to write `'test1 ${1 + 2} test2 ${3 + 4}' >>>> .template();` and read `test1 3 test2 7` or to pass an object similar >>>> to .Net String.format so that your Stack overflow code would be like the >>>> following: >>>> >>>> ```js >>>> >>>> let a = "b:${b}"; >>>> let b = 10; >>>> >>>> console.log(a.template({b:b})); >>>> >>>> // or >>>> >>>> console.log(a.template({b:27})); >>>> >>>> ``` >>>> >>>> You pass named properties and it works with nested properties too (i.e. >>>> ${down.the.road}) >>>> >>>> It does use Function which is safe, >>>> >>> >>> >>> Function is safe almost everywhere, but it is worth pointing out >>> >>> https://bugs.webkit.org/show_bug.cgi?id=106160 >>> https://bugs.webkit.org/show_bug.cgi?id=131137 >>> test_CANT_SAFELY_VERIFY_SYNTAX at >>> https://code.google.com/p/google-caja/source/browse/trunk/src/com/google/caja/ses/repairES5.js#3198 >>> repair_CANT_SAFELY_VERIFY_SYNTAX at >>> https://code.google.com/p/google-caja/source/browse/trunk/src/com/google/caja/ses/repairES5.js#4170 >>> >>> After the repair, the Function constructor is safe again on Safari, but >>> at considerable expense. >>> >>> >>> >>> >>>> compared to eval, and needed to eventually de-opt from 'use strict' but >>>> of course you could write your own parser avoiding Function completely. >>>> >>>> Finally, I agree it would be nice to be able to have a standard way to >>>> template strings in JS, the templating as it is plays very poorly with >>>> runtime generated strings, using eval for that looks the dirtiest thing on >>>> earth. >>>> >>>> Regards >>>> >>>> >>>> >>>> On Sun, Mar 22, 2015 at 10:05 AM, KOLANICH <[email protected]> wrote: >>>> >>>>> I needed a functionality but haven't found it. >>>>> See >>>>> https://stackoverflow.com/questions/29182244/convert-a-string-to-a-template-string >>>>> for more details. >>>>> I think that this should be included into standard; >>>>> >>>>> >>>>> Also we need a standard format string functionality like >>>>> https://msdn.microsoft.com/en-us/library/system.string.format.aspx >>>>> and <https://docs.python.org/2/library/string.html#string-formatting> >>>>> https://docs.python.org/2/library/string.html#string-formatting >>>>> >>>>> _______________________________________________ >>>>> es-discuss mailing list >>>>> [email protected] >>>>> https://mail.mozilla.org/listinfo/es-discuss >>>>> >>>>> >>>> >>>> _______________________________________________ >>>> es-discuss mailing list >>>> [email protected] >>>> https://mail.mozilla.org/listinfo/es-discuss >>>> >>>> >>> >>> >>> -- >>> Cheers, >>> --MarkM >>> >> >> >> _______________________________________________ >> es-discuss mailing list >> [email protected] >> https://mail.mozilla.org/listinfo/es-discuss >> >> > > > -- > Text by me above is hereby placed in the public domain > > Cheers, > --MarkM > -- Cheers, --MarkM
_______________________________________________ es-discuss mailing list [email protected] https://mail.mozilla.org/listinfo/es-discuss
