Template strings restrict escape sequences

Author：Chuan Chen 阅读数：56761人阅读分类： JavaScript

Background of ECMAScript 9's Restrictions on Escape Sequences in Template Strings

ECMAScript 9 introduced stricter limitations on escape sequences in template strings, primarily for security and code consistency reasons. In earlier versions, template strings allowed certain illegal escape sequences, which could lead to unexpected behavior or security vulnerabilities. The new specification clearly defines which escape sequences are legal and which are illegal.

Basic Rules for Escape Sequences in Template Strings

In ECMAScript, template strings are enclosed in backticks (`) and support interpolation expressions. Escape sequences start with a backslash (\) and are used to represent special characters. The following are legal escape sequences:

// Legal escape sequences
console.log(`\n`); // Newline
console.log(`\t`); // Tab
console.log(`\\`); // Backslash
console.log(`\``); // Backtick
console.log(`\${`); // Literal for interpolation expression

Changes in Restrictions in ECMAScript 9

ECMAScript 9 introduced restrictions on undefined escape sequences. In previous versions, undefined escape sequences were silently ignored or treated as literals, but in ECMAScript 9, this now throws a syntax error. For example:

// Throws a syntax error in ECMAScript 9
console.log(`\x`); // Error: Invalid hexadecimal escape sequence
console.log(`\u`); // Error: Invalid Unicode escape sequence
console.log(`\u{1F600}`); // Legal: Unicode code point escape

Examples of Legal Escape Sequences

The following are explicitly supported escape sequences in ECMAScript 9:

Common Escape Sequences:

console.log(`Hello\nWorld`); // Newline
console.log(`Name:\tJohn`); // Tab

Unicode Escape Sequences:

console.log(`\u0041`); // 'A'
console.log(`\u{1F600}`); // '😀'

Hexadecimal Escape Sequences:
```
console.log(`\x41`); // 'A'
```

Examples of Illegal Escape Sequences

The following escape sequences are illegal in ECMAScript 9 and will throw a syntax error:

// Illegal escape sequences
console.log(`\a`); // Error: \a is undefined
console.log(`\z`); // Error: \z is undefined
console.log(`\u{110000}`); // Error: Exceeds Unicode range

Restrictions on Escape Sequences in Strict Mode

In strict mode ('use strict'), ECMAScript 9 imposes even stricter limitations on escape sequences. For example, octal escape sequences are prohibited in strict mode:

'use strict';
console.log(`\251`); // Error: Octal escape sequences are not allowed in strict mode

Practical Considerations

When Dynamically Generating Template Strings: If the content of a template string is dynamically generated, ensure it does not contain illegal escape sequences. For example:
```
const userInput = '\\x41'; // User input
console.log(`User input: ${userInput}`); // Outputs normally
console.log(`User input: \x41`); // May throw an error
```
Multiline Template Strings: Escape sequences in multiline template strings are also subject to restrictions:
```
console.log(`Line 1\nLine 2`); // Legal
console.log(`Line 1\mLine 2`); // Error: \m is illegal
```

Alternatives to Escape Sequences

To avoid illegal escape sequences, you can use other methods to achieve the same result:

Using Unicode Code Points:

console.log(`Smile: \u{1F600}`); // 'Smile: 😀'

Using String Concatenation:

console.log('Smile: ' + String.fromCodePoint(0x1F600)); // 'Smile: 😀'

Escape Sequences in Tagged Template Functions

Tag functions can customize the processing of template strings, but the restrictions on escape sequences still apply:

function tag(strings, ...values) {
  console.log(strings.raw[0]); // Raw string
  return 'Processed';
}

tag`\x41`; // Raw string is '\x41', but parsing may throw an error

Comparison with Other Languages

Compared to other programming languages, ECMAScript 9 imposes stricter limitations on escape sequences. For example, in Python, undefined escape sequences are preserved as literals: