Secure String Interpolation in JavaScript
Mike Samuel of the Google Caja team (and much more) has a fantastically detailed document on the choices for secure String interpolation in JavaScript.
He spends a lot of time discussing:
- Cataloging the most common vulnerabilities
- Various alternatives such as templating, DOM manipulation, and tainting
- Goals and Non-Goals
- Design and Implementation
- Benchmarking the choices
There are a large number of examples a long the way:
JAVASCRIPT:
-
-
var ids = [1, 2, 3, 4];
-
var column = ‘value’;
-
var foo = ‘foo’;
-
-
open(Template(“SELECT $column FROM Table WHERE id IN $ids AND foo LIKE $foo”))
-
// === "SELECT `value` FROM Table WHERE id IN (1, 2, 3, 4) AND foo LIKE ‘foo’"
-
