-
Notifications
You must be signed in to change notification settings - Fork 74
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
shakespeare-js does not escape #{...} interpolated strings #55
Comments
It looks like a bug for me. |
This is the intended behavior. Whether we should change it, or how we should document it, are good questions. Can you raise them on the mailing list? |
I also think this behavior is problematic. We should be documenting how to avoid any hassles from automatic safety, not how to make things safe. |
This is far from a simple matter, which is why I closed the issue in favor of discussing it on the mailing list. The presumption underlying it is that Julius interpolation is fixated on values which will be included in JS string literals. I'm not convinced that this is what people are expecting: it may be quite disconcerting for a user to try and interpolate some JS code and have to escaped as if it were appearing inside of string. |
Yeah, so from a security standpoint it matters little whether it will be a string literal or something else. To be secure we shouldn't allow any code whatsoever, only JS values. |
So should we only interpolate |
@joeyadams do you want to ask this on the mail list? |
I wrote a simple "hello world" style program for shakespeare-js:
It turns out that no string escaping happens at all! This is what the program outputs:
Is this a bug, or does shakespeare-js not automatically escape interpolated strings? I'm guessing the latter, based on this sentence buried in the Shakespearean Templates documentation:
This might be intended behavior, but it is extremely worrisome:
#{...}
syntax, which does perform the appropriate escaping.The text was updated successfully, but these errors were encountered: