CodeClarityLab / Glossary
Ctrl K
← CodeClarityLab Home
Browse by Category
+ added · updated 7d
⚖ Terms of Use
← Back to glossary

Template Literals

javascript ES2015 Beginner
debt(d5/e3/b3/t7)
d5 Detectability Operational debt — how invisible misuse is to your safety net

Closest to 'specialist tool catches it' (d5). ESLint and Semgrep can detect the pattern of innerHTML with template literals containing variables, but this requires rule configuration and doesn't catch all XSS vectors—runtime context matters (was the variable sanitised upstream?). The detection is not automatic without explicit rules enabled.

e3 Effort Remediation debt — work required to fix once spotted

Closest to 'simple parameterised fix' (e3). The quick_fix is clear: replace innerHTML with textContent or switch to a tagged template library. This is typically a single-call or single-pattern swap within one component, though widespread innerHTML usage may require multiple edits in one file.

b3 Burden Structural debt — long-term weight of choosing wrong

Closest to 'localised tax' (b3). Template literals are localised to string-building contexts; the choice doesn't reshape the entire codebase. However, if a team adopts unsafe innerHTML + template literal patterns widely, it creates scattered XSS risk. The burden is moderate because the unsafe pattern is easy to repeat but contained to rendering logic.

t7 Trap Cognitive debt — how counter-intuitive correct behaviour is

Closest to 'serious trap' (t7). The misconception explicitly states that template literals *feel* safe (readable, modern syntax) but are not inherently safe when combined with innerHTML—contradicting how similar string operations work in safer contexts (textContent, DOM methods). A developer familiar with template literals from safe contexts (console.log, assignments) will assume the same safety applies to DOM insertion, which is wrong.

About DEBT scoring → scored by claude-haiku-4-5-20251001 · 2026-05-10 · reviewed by human

Also Known As

template strings backtick strings string interpolation JS tagged templates

TL;DR

Backtick strings with ${expression} interpolation — the JavaScript equivalent of PHP's double-quoted strings and heredoc.

Explanation

Template literals use backticks and support multi-line strings and ${expression} interpolation. Tagged templates allow custom processing: html`<div>${userInput}</div>` can auto-escape. Nesting: `${condition ? `<span>${val}</span>` : ''}`. PHP parallel: double-quoted "Hello $name" and heredoc. Key difference: PHP interpolates at string creation time; JS template literals evaluate the expression — you can embed any JS expression, not just variables.

Common Misconception

Template literals with user content are safe — `<div>${userInput}</div>` is still XSS-vulnerable if inserted via innerHTML; use a tagged template library like htm or lit-html that escapes automatically.

Why It Matters

Template literals make JavaScript string building as readable as PHP heredoc, but without careful escaping they introduce XSS when used with innerHTML.

Common Mistakes

  • Using innerHTML with template literal containing user data — XSS
  • Nesting backtick strings without proper escaping
  • Forgetting tagged templates for HTML generation

Code Examples

✗ Vulnerable 
// XSS — user input in template literal via innerHTML:
el.innerHTML = `<li class="item">${user.bio}</li>`;
✓ Fixed 
// Safe with textContent:
const li = document.createElement('li');
li.className = 'item';
li.textContent = user.bio; // safe

// Tagged template for automatic escaping:
const html = (strings, ...values) =>
    strings.reduce((r, s, i) =>
        r + s + (values[i] != null
            ? String(values[i]).replace(/&/g,'&amp;').replace(/</g,'&lt;')
            : ''), '');
el.innerHTML = html`<li class="item">${user.bio}</li>`;
Added 17 Mar 2026
Edited 22 Mar 2026
Views 26

Curated in Warsaw under one editorial standard. 1,448 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings T 1 ping F 0 pings S 0 pings S 1 ping M 0 pings T 0 pings W 2 pings T 2 pings F 0 pings S 0 pings S 0 pings M 0 pings T 1 ping W 0 pings T 1 ping F 0 pings S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 2 pings F 0 pings S 0 pings S 0 pings M 0 pings T 1 ping W 0 pings T 0 pings F
Agents 0
No pings yet today
No pings yesterday
Amazonbot 10 Unknown AI 3 Ahrefs 2 Google 2 ChatGPT 2 Majestic 1 Perplexity 1 Bing 1
Also referenced
Cross-Site Scripting (XSS) 31 Client-Side Sanitisation 28 Tagged Template Literals 28 DOM Manipulation 27
How they use it
crawler 19 crawler_json 2 pre-tracking 1
Related categories
security 4.6k javascript 2.5k
DEV INTEL Tools & Severity
🟡 Medium ⚙ Fix effort: Low
⚡ Quick Fix
Never use template literals with innerHTML for user content — use textContent or a sanitising tagged template
📦 Applies To
javascript ES2015 web cli
🔗 Prerequisites
🔍 Detection Hints
innerHTML with template literal containing variable from user data or API response
Auto-detectable: ✓ Yes eslint semgrep
⚠ Related Problems
🤖 AI Agent
Confidence: Medium False Positives: Medium ✓ Auto-fixable Fix: Low Context: Line
CWE-89 CWE-79
✓ schema.org compliant