|
|
|
|
|
|
by TeMPOraL
3475 days ago
|
|
|
True, though as you note, this is essentially true of any form of plain string concatenation. Dedicated templating languages tend to fail at this too. Escaping-as-default helps, but people sometimes forget escaping is a function of output context. For example, <script>
frobnicate("{bar}");
</script>
is a potential vulnerability if the default escaping mechanism for {bar} is one meant for HTML. |
|
|