Defensive Programming with Tagged Templates

Snippet

Defensive Programming with Tagged Templates

Tagged templates allow intercepting template literal processing. This 'Expert' pattern is crucial for building Domain Specific Languages (DSLs) or security layers that automatically sanitize inputs before they reach sensitive sinks like HTML or SQL.

snippet.js

javascript

function safeHTML(strings, ...values) {
  return strings.reduce((acc, str, i) => {
    const val = String(values[i] || '').replace(/[&<>"]/g, c => ({'&':'&amp;','<':'&lt;','>':'&gt;','"':'&quot;'}[c]));
    return acc + str + val;
  }, '');
}
 
const userInput = '<img src=x onerror=alert(1)>';
const message = safeHTML`<div>User says: ${userInput}</div>`;
console.log(message);

nodejs

Breakdown

function safeHTML(strings, ...values)

A tag function that receives raw string fragments and the interpolated values separately.

values[i].replace(/[&<>"]/g, ...)

Aggressively escapes special characters within the values to prevent injection attacks.

safeHTML`... ${userInput}`

Invokes the sanitizer tag, ensuring the resulting string is safe for rendering.

Previous snippet Next snippet

More Expert JavaScript exercises →

From your library

Defensive Programming with Tagged Templates

Related