Create accountLogin

Recent searches

No recent searches

Search options

Only available when logged in.
techhub.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
A hub primarily for passionate technologists, but everyone is welcome

Administered by:

Server stats:

4.8K
active users

techhub.social: AboutStatusProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.3.8

Doug Parker 🕸️

Question about the security of in . I understand how they are called with literal values separated from interpolations, which you can use to identify hard-coded constants which can't be compromised.

But there's no guarantee a tagged template function is _actually_ called via a tagged template literal right? How is it "safe by construction" if anyone can just pass in any input? Example:

```
html([ '<script>alert("Hacked!");</script>' ])
```

I get that this is harder to pull off in practice because you need a reference to the function itself (`html`), not just an input to it. Definitely a huge improvement, but doesn't entirely eliminate risk. Is there something else I'm missing here?

Probably @justinfagnani or someone else from would know the answer to this?

Mar 06, 2023, 07:15 AM·Public
0boosts·1favorite
ExploreLive feeds
About