Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I think google search uses this templating language:

http://code.google.com/p/google-ctemplate/

It makes sense that the ${ could cause problems.



In my experience it's pretty rare for template language bugs to cause errors if user entered content includes one of their special characters. The template would have to be evaluated twice for any problems to occur - once to insert the user's template code in to placeholders within the original template , and then once again to execute the resulting combination.


Sad to say, Mustache.js has exactly this bug last time I checked, but only under some circumstances.

Minimal reproduction:

        Mustache.to_html('{{b}}', {b: '{{c}x}' }) -> '{{c}x}'
        Mustache.to_html('{{#a}}{{b}}{{/a}}', {a: [{b: '{{c}x}' }]}) -> '{{c}x}'
        Mustache.to_html('{{b}}', {b: '{{c}}' }) -> '{{c}}'
        Mustache.to_html('{{#a}}{{b}}{{/a}}', {a: [{b: '{{c}}' }]}) -> '' (wrong)


Hrm, but is $ a metacharacter in that language?



Hrm, did you click the link?


Most likely he did. Did you?

If you did click and skim the page at 1000000000 words/sec, those `$` over there are for USD, and not part of templating system.


I disagree! It does not make sense that submitting any text via a form input should in any way interfere with a templating engine, in the same way we dont expect to be able to affect a database by entering SQL into a form field.

The fact that Google brings back an empty result set to me indicates the problem is a bit deeper...




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: