shakespeare-js does not escape #{...} interpolated strings about shakespeare HOT 7 CLOSED

It looks like a bug for me.

from shakespeare.

This is the intended behavior. Whether we should change it, or how we should document it, are good questions. Can you raise them on the mailing list?

from shakespeare.

I also think this behavior is problematic. We should be documenting how to avoid any hassles from automatic safety, not how to make things safe.

from shakespeare.

This is far from a simple matter, which is why I closed the issue in favor of discussing it on the mailing list. The presumption underlying it is that Julius interpolation is fixated on values which will be included in JS string literals. I'm not convinced that this is what people are expecting: it may be quite disconcerting for a user to try and interpolate some JS code and have to escaped as if it were appearing inside of string.

from shakespeare.

Yeah, so from a security standpoint it matters little whether it will be a string literal or something else. To be secure we shouldn't allow any code whatsoever, only JS values.
This is plausible: if someone wants to insert JS code, they can insert a widget.
It would also be a major change: instead of ToJavascript we would probably need to use ToJSON.

from shakespeare.

So should we only interpolate Data.Aeson.Value values? When we
interpolate a Text, should it have quotes automatically added? Should we
apply entity escaping as well to properly avoid XSS attacks? There are a
lot of questions, and I think this is anything but obvious. That's why I'd
rather close the issue and discuss it on the list.

from shakespeare.

@joeyadams do you want to ask this on the mail list?

from shakespeare.