Bash tool incorrectly rejects heredoc containing JavaScript template literals

Resolved 💬 5 comments Opened Oct 10, 2025 by shukebeta Closed Jan 10, 2026

Problem

The Bash tool rejects valid heredoc input when it contains JavaScript template literals with the pattern ${func()}, even when using single-quote heredoc syntax that should prevent variable substitution.

Steps to Reproduce

cat <<'EOF'
return `<div>${escapeHtml(cmd)}</div>`
EOF

Error: Failed to parse command: Bad substitution: escapeHtml

Expected Behavior

Single-quote heredoc (<<'EOF') should pass content literally to bash without interpretation. The pattern ` ${...} ` is valid JavaScript template literal syntax and should not be treated as bash variable substitution.

Workaround

Using /bin/bash -c bypasses this check:

/bin/bash -c 'cat <<'\''EOF'\''
return `<div>${escapeHtml(cmd)}</div>`
EOF'

This workaround proves the content is valid bash syntax, but the command is overly complex.

Impact

This limitation severely affects the eed workflow when editing JavaScript/TypeScript files, as template literals are standard modern JS syntax. Common patterns like:

  • ` string ${expression} `
  • ` <div className="${classes}"> `
  • ` fetch(${API_URL}/endpoint) `

All trigger false positives.

Proposed Solution

Similar to --dangerously-skip-permissions, provide a flag like:

  • --allow-template-literals
  • --disable-heredoc-validation
  • Environment variable: CLAUDE_CODE_BASH_SKIP_VALIDATION=1

This would allow advanced users to bypass the safety check when needed, while keeping the default secure behavior for typical use cases.

Context

  • This appears to be a pre-processing safety check in Claude Code's Bash tool
  • Standard bash correctly handles this syntax
  • The check specifically triggers on: backtick + ${name()} pattern
  • Simple ` ${var} ` without parentheses works fine

Version

  • Claude Code: 2.0.5
  • OS: Linux 6.14.0-33-generic

Thank you for considering this improvement!

View original on GitHub ↗

This issue has 5 comments on GitHub. Read the full discussion on GitHub ↗