Template string hack
Reported by
masa....@gmail.com,
Nov 8 2016
|
||||
Issue description
UserAgent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36
Steps to reproduce the problem:
Poc 1:
a=`${alert(1)`;
b="`}`//";
Poc 2:
a=`${alert/*`;
b="*/(1)}`//";
PoC 3:
<script>a=`jackmasa<!--<script/\`;</script>
<input value="${alert(1)}`</script/">
What is the expected behavior?
Uncaught SyntaxError
What went wrong?
alert function is called.
Did this work before? N/A
Chrome version: 54.0.2840.71 Channel: n/a
OS Version: 10.0
Flash Version: Shockwave Flash 23.0 r0
,
Nov 11 2016
,
Nov 17 2016
,
Nov 17 2016
Thanks for the report. I think this is spec compliant and working as intended. If I read ECMAScript spec correctly: - http://www.ecma-international.org/ecma-262/6.0/ - 12.2.9 Template Literals, combined with - 11.8.6 Template Literal Lexical Components - We will (and should) parse `${ as TemplateHead alert(1)`;\nb="` as Expression }` as TemplateSpans as TemplateTail So, the parts after ${ should be parsed as a proper Expression until the } in the next line, and alert would be part of that expression, and should indeed be called. I could be reading this wrong - I find the spec quite hard to read - but if so I'd need some additional hints as to how/why exactly. Also, does Chrome/Chromium's behaviour differ from other browsers here? If the spec itself should be changed, than this a matter for TC39. |
||||
►
Sign in to add a comment |
||||
Comment 1 by rtoy@chromium.org
, Nov 9 2016Status: Untriaged (was: Unconfirmed)