Or just use tagged template strings to do the sanitization.
On Dec 16, 2014, at 11:37, Andrea Giammarchi <andrea.giammarchi at gmail.com<mailto:andrea.giammarchi at gmail.com>> wrote:
Apologies for the probably futile extra precaution but, since someone might be confused already, I think it must be said that nobody should ever use ES6 interpolated strings like the following:
```js
dom.innerHTML = `<div class="${className}"></div>`;
```
unless eventual bound references are not made safe elsewhere.
In a raw template like logic, like the suggested gist, it should also, eventually, be like the following:
```js
dom.innerHTML = '<div class="${className}"></div>'.template({
className: safeForHTML(className)
});
```
Still in templates, when double curly braces are in place usually means such safe HTML/sanitize operation is done automagically behind the scene avoiding repeated `safeForHTML` calls.
I hope the distinction is cleaner now.
Best Regards
On Tue, Dec 16, 2014 at 3:26 PM, Domenic Denicola <d at domenic.me<mailto:d at domenic.me>> wrote:
You want templates, which is something provided by many libraries (Handlebars, etc.). The language provides template strings as a syntactic feature.
Templates and template strings are very different. Don't be fooled by the name into thinking that templates are some sort of natural feature addition to template strings; they're in fact a different concept altogether.
From: es-discuss [mailto:es-discuss-bounces at mozilla.org<mailto:es-discuss-bounces at mozilla.org>] On Behalf Of Niloy Mondal
Sent: Tuesday, December 16, 2014 06:48
To: Andrea Giammarchi
Cc: es-discuss at mozilla.org<mailto:es-discuss at mozilla.org>
Subject: Re: how to delay interpolation of template strings?
Can this be considered for a feature request? Provision in the language to dynamically construct template strings and interpolate them.
On Tue, Dec 16, 2014 at 4:48 PM, Andrea Giammarchi <andrea.giammarchi at gmail.com<mailto:andrea.giammarchi at gmail.com>> wrote:
irony ... I think you would need to evaluate the template string inline in order to interpolate its result ...
OR
you just go for this method which also works down to ES3 engine:
https://gist.github.com/WebReflection/8f227532143e63649804
Regards
On Tue, Dec 16, 2014 at 10:01 AM, Niloy Mondal <niloy.mondal84 at gmail.com<mailto:niloy.mondal84 at gmail.com>> wrote:
Thanks, this would work.
How can I construct a template string dynamically? Like reading the template from a file/database and then interpolate it.
On Tue, Dec 16, 2014 at 2:29 PM, Claude Pache <claude.pache at gmail.com<mailto:claude.pache at gmail.com>> wrote:
Le 16 d?c. 2014 ? 09:27, Niloy Mondal <niloy.mondal84 at gmail.com<mailto:niloy.mondal84 at gmail.com>> a ?crit :
I want to define a template string using backquotes in a different file and then have it interpolated with actual values in a different file. How can I do it?
Just enclose it in a function:
```javascript
function foo(a) {
return `some template ${a}`
}
foo("bar") // will evaluate `some template ${"bar"}`
```
-Claude
_______________________________________________
es-discuss mailing list
es-discuss at mozilla.org<mailto:es-discuss at mozilla.org>
https://mail.mozilla.org/listinfo/es-discuss
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20141216/8ba6a420/attachment.html>
d at domenic.me (2014-12-19T22:53:04.904Z)
Or just use tagged template strings to do the sanitization.
Or just use tagged template strings to do the sanitization. On Dec 16, 2014, at 11:37, Andrea Giammarchi <andrea.giammarchi at gmail.com<mailto:andrea.giammarchi at gmail.com>> wrote: Apologies for the probably futile extra precaution but, since someone might be confused already, I think it must be said that nobody should ever use ES6 interpolated strings like the following: ```js dom.innerHTML = `<div class="${className}"></div>`; ``` unless eventual bound references are not made safe elsewhere. In a raw template like logic, like the suggested gist, it should also, eventually, be like the following: ```js dom.innerHTML = '<div class="${className}"></div>'.template({ className: safeForHTML(className) }); ``` Still in templates, when double curly braces are in place usually means such safe HTML/sanitize operation is done automagically behind the scene avoiding repeated `safeForHTML` calls. I hope the distinction is cleaner now. Best Regards On Tue, Dec 16, 2014 at 3:26 PM, Domenic Denicola <d at domenic.me<mailto:d at domenic.me>> wrote: You want templates, which is something provided by many libraries (Handlebars, etc.). The language provides template strings as a syntactic feature. Templates and template strings are very different. Don't be fooled by the name into thinking that templates are some sort of natural feature addition to template strings; they're in fact a different concept altogether. From: es-discuss [mailto:es-discuss-bounces at mozilla.org<mailto:es-discuss-bounces at mozilla.org>] On Behalf Of Niloy Mondal Sent: Tuesday, December 16, 2014 06:48 To: Andrea Giammarchi Cc: es-discuss at mozilla.org<mailto:es-discuss at mozilla.org> Subject: Re: how to delay interpolation of template strings? Can this be considered for a feature request? Provision in the language to dynamically construct template strings and interpolate them. On Tue, Dec 16, 2014 at 4:48 PM, Andrea Giammarchi <andrea.giammarchi at gmail.com<mailto:andrea.giammarchi at gmail.com>> wrote: irony ... I think you would need to evaluate the template string inline in order to interpolate its result ... OR you just go for this method which also works down to ES3 engine: https://gist.github.com/WebReflection/8f227532143e63649804 Regards On Tue, Dec 16, 2014 at 10:01 AM, Niloy Mondal <niloy.mondal84 at gmail.com<mailto:niloy.mondal84 at gmail.com>> wrote: Thanks, this would work. How can I construct a template string dynamically? Like reading the template from a file/database and then interpolate it. On Tue, Dec 16, 2014 at 2:29 PM, Claude Pache <claude.pache at gmail.com<mailto:claude.pache at gmail.com>> wrote: Le 16 d?c. 2014 ? 09:27, Niloy Mondal <niloy.mondal84 at gmail.com<mailto:niloy.mondal84 at gmail.com>> a ?crit : I want to define a template string using backquotes in a different file and then have it interpolated with actual values in a different file. How can I do it? Just enclose it in a function: ```javascript function foo(a) { return `some template ${a}` } foo("bar") // will evaluate `some template ${"bar"}` ``` -Claude _______________________________________________ es-discuss mailing list es-discuss at mozilla.org<mailto:es-discuss at mozilla.org> https://mail.mozilla.org/listinfo/es-discuss -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20141216/8ba6a420/attachment.html>