Doug Parker 🕸️<p>Question about the security of <a href="https://techhub.social/tags/TaggedTemplateLiterals" class="mention hashtag" rel="tag">#<span>TaggedTemplateLiterals</span></a> in <a href="https://techhub.social/tags/JavaScript" class="mention hashtag" rel="tag">#<span>JavaScript</span></a>. I understand how they are called with literal values separated from interpolations, which you can use to identify hard-coded constants which can&#39;t be compromised.</p><p>But there&#39;s no guarantee a tagged template function is _actually_ called via a tagged template literal right? How is it &quot;safe by construction&quot; if anyone can just pass in any input? Example:</p><p>```<br />html([ &#39;&lt;script&gt;alert(&quot;Hacked!&quot;);&lt;/script&gt;&#39; ])<br />```</p><p>I get that this is harder to pull off in practice because you need a reference to the function itself (`html`), not just an input to it. Definitely a huge improvement, but doesn&#39;t entirely eliminate <a href="https://techhub.social/tags/XSS" class="mention hashtag" rel="tag">#<span>XSS</span></a> risk. Is there something else I&#39;m missing here?</p><p>Probably <span class="h-card" translate="no"><a href="https://fosstodon.org/@justinfagnani" class="u-url mention">@<span>justinfagnani</span></a></span> or someone else from <a href="https://techhub.social/tags/Lit" class="mention hashtag" rel="tag">#<span>Lit</span></a> would know the answer to this?</p>