html/template: add support for template strings (backticks) (original) (raw)

by opennota:

ES6 specifies a new language feature called "Template Strings" (often also referred to as "Quasi Literals" alongside multi-line strings and others). This allows to execute arbitrary JavaScript code without using parenthesis but back-ticks instead. Inside back-tick delimited strings, placeholders such as ${} can wrap executable code.

http://play.golang.org/p/nBEneuxHNj

If you open the output of the above program in a modern browser (e.g., recently released Mozilla Firefox 34 supports template strings), it will happily execute alert(1).

References:

https://people.mozilla.org/~jorendorff/es6-draft.html https://html5sec.org/#140 https://html5sec.org/#141