Compiled (⚡) blocks don't escape javascript strings

:zap: in block means snap will generate javascript code from blocks put inside it

javascript generator will just put text in quotes asd"asd"
but string with special characters need to be escaped \\\\\\
javascript generator doesn't do that

The zigzag means it's a compiled block and its a known issue that some compiled blocks don't work in all situations

So, if it works for you - great - if it doesn't - don't use it

thanks for the report! I've just deployed a little fix for this, you might want to hard reload Snap for your browser to update its cache.

The problem is, this error creates a XSS vulnerability, giving a project full access to a user's account. Jens fixed it, so 7.2.4 is safe to use. However, it would be better for compiled blocks to only actually compile in javascript mode than to allow javascript to be used through compilation in normal mode.

Yes, I did custom javascript execution in original post, but it's gone for some reason.

edit: another post gone

I forgot to also escape variable names, fixing this right now, thanks for the report!
A moderator probably deleted your reports here and notified me about them, so I could fix the issue, that's why your original examples that could execute arbitrary JS code are "gone" here. I really appreciate your brilliant analysis and your reports about them, they help make Snap better for all. Again thank you!
(I'm curious, you must be a professional programmer, right? kudos!)