Bash tool incorrectly rejects heredoc containing JavaScript template literals
Problem
The Bash tool rejects valid heredoc input when it contains JavaScript template literals with the pattern ${func()}, even when using single-quote heredoc syntax that should prevent variable substitution.
Steps to Reproduce
cat <<'EOF'
return `<div>${escapeHtml(cmd)}</div>`
EOF
Error: Failed to parse command: Bad substitution: escapeHtml
Expected Behavior
Single-quote heredoc (<<'EOF') should pass content literally to bash without interpretation. The pattern ` ${...} ` is valid JavaScript template literal syntax and should not be treated as bash variable substitution.
Workaround
Using /bin/bash -c bypasses this check:
/bin/bash -c 'cat <<'\''EOF'\''
return `<div>${escapeHtml(cmd)}</div>`
EOF'
This workaround proves the content is valid bash syntax, but the command is overly complex.
Impact
This limitation severely affects the eed workflow when editing JavaScript/TypeScript files, as template literals are standard modern JS syntax. Common patterns like:
- `
string ${expression}` - `
<div className="${classes}">` - `
fetch(${API_URL}/endpoint)`
All trigger false positives.
Proposed Solution
Similar to --dangerously-skip-permissions, provide a flag like:
--allow-template-literals--disable-heredoc-validation- Environment variable:
CLAUDE_CODE_BASH_SKIP_VALIDATION=1
This would allow advanced users to bypass the safety check when needed, while keeping the default secure behavior for typical use cases.
Context
- This appears to be a pre-processing safety check in Claude Code's Bash tool
- Standard bash correctly handles this syntax
- The check specifically triggers on: backtick +
${name()}pattern - Simple `
${var}` without parentheses works fine
Version
- Claude Code: 2.0.5
- OS: Linux 6.14.0-33-generic
Thank you for considering this improvement!
This issue has 5 comments on GitHub. Read the full discussion on GitHub ↗