jashkenas · Mar 14, 2021
diff --git a/‎modules/template.js
+1-9 b/‎modules/template.js
+1-9
diff --git a/‎underscore-esm.js
+1-9 b/‎underscore-esm.js
+1-9
diff --git a/‎underscore-esm.js.map
+1-1 b/‎underscore-esm.js.map
+1-1
diff --git a/‎underscore.js
+1-9 b/‎underscore.js
+1-9
diff --git a/‎underscore.js.map
+1-1 b/‎underscore.js.map
+1-1
@@ -24,11 +24,6 @@ function escapeChar(match) {
   return '\\' + escapes[match];
 }
 
-// In order to prevent third-party code injection through
-// `_.templateSettings.variable`, we test it against the following regular
-// expression. It is intentionally a bit more liberal than just matching valid
-// identifiers, but still prevents possible loopholes through defaults or
-// destructuring assignment.
 var bareIdentifier = /^\s*(\w|\$)+\s*$/;
 
 // JavaScript micro-templating, similar to John Resig's implementation.
@@ -68,10 +63,7 @@ export default function template(text, settings, oldSettings) {
 
   var argument = settings.variable;
   if (argument) {
-    // Insure against third-party code injection.
-    if (!bareIdentifier.test(argument)) throw new Error(
-      'variable is not a bare identifier: ' + argument
-    );
+    if (!bareIdentifier.test(argument)) throw new Error(argument);
   } else {
     // If a variable is not specified, place data values in local scope.
     source = 'with(obj||{}){\n' + source + '}\n';