d at domenic.me (2014-12-19T22:52:59.298Z)
Apologies for the probably futile extra precaution but, since someone might
be confused already, I think it must be said that nobody should ever use
ES6 interpolated strings like the following:
```js
dom.innerHTML = `<div class="${className}"></div>`;
```
unless eventual bound references are not made safe elsewhere.
In a raw template like logic, like the suggested gist, it should also,
eventually, be like the following:
```js
dom.innerHTML = '<div class="${className}"></div>'.template({
className: safeForHTML(className)
});
```
Still in templates, when double curly braces are in place usually means
such safe HTML/sanitize operation is done automagically behind the scene
avoiding repeated `safeForHTML` calls.
I hope the distinction is cleaner now.
Apologies for the probably futile extra precaution but, since someone might be confused already, I think it must be said that nobody should ever use ES6 interpolated strings like the following: ```js dom.innerHTML = `<div class="${className}"></div>`; ``` unless eventual bound references are not made safe elsewhere. In a raw template like logic, like the suggested gist, it should also, eventually, be like the following: ```js dom.innerHTML = '<div class="${className}"></div>'.template({ className: safeForHTML(className) }); ``` Still in templates, when double curly braces are in place usually means such safe HTML/sanitize operation is done automagically behind the scene avoiding repeated `safeForHTML` calls. I hope the distinction is cleaner now. Best Regards On Tue, Dec 16, 2014 at 3:26 PM, Domenic Denicola <d at domenic.me> wrote: > > You want templates, which is something provided by many libraries > (Handlebars, etc.). The language provides template strings as a syntactic > feature. > > > > Templates and template strings are very different. Don’t be fooled by the > name into thinking that templates are some sort of natural feature addition > to template strings; they’re in fact a different concept altogether. > > > > *From:* es-discuss [mailto:es-discuss-bounces at mozilla.org] *On Behalf Of *Niloy > Mondal > *Sent:* Tuesday, December 16, 2014 06:48 > *To:* Andrea Giammarchi > *Cc:* es-discuss at mozilla.org > *Subject:* Re: how to delay interpolation of template strings? > > > > Can this be considered for a feature request? Provision in the language to > dynamically construct template strings and interpolate them. > > > > On Tue, Dec 16, 2014 at 4:48 PM, Andrea Giammarchi < > andrea.giammarchi at gmail.com> wrote: > > irony ... I think you would need to evaluate the template string inline > in order to interpolate its result ... > > > > OR > > > > you just go for this method which also works down to ES3 engine: > > https://gist.github.com/WebReflection/8f227532143e63649804 > > > > Regards > > > > On Tue, Dec 16, 2014 at 10:01 AM, Niloy Mondal <niloy.mondal84 at gmail.com> > wrote: > > Thanks, this would work. > > > > How can I construct a template string dynamically? Like reading the > template from a file/database and then interpolate it. > > > > On Tue, Dec 16, 2014 at 2:29 PM, Claude Pache <claude.pache at gmail.com> > wrote: > > > > Le 16 déc. 2014 à 09:27, Niloy Mondal <niloy.mondal84 at gmail.com> a écrit > : > > > > I want to define a template string using backquotes in a different file > and then have it interpolated with actual values in a different file. How > can I do it? > > > > > > Just enclose it in a function: > > > > ```javascript > > function foo(a) { > > return `some template ${a}` > > } > > > > foo("bar") // will evaluate `some template ${"bar"}` > > ``` > > > > —Claude > > > > _______________________________________________ > es-discuss mailing list > es-discuss at mozilla.org > https://mail.mozilla.org/listinfo/es-discuss > > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20141216/c0a4f8c1/attachment-0001.html>