[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [O] Org campture recursively expands %-escapes
From: |
Nicolas Goaziou |
Subject: |
Re: [O] Org campture recursively expands %-escapes |
Date: |
Thu, 26 Nov 2015 13:54:18 +0100 |
Hello,
Thomas Preindl <address@hidden> writes:
> setting up my capture templates to work with a new Chrome extension I
> noticed that when i mark some text containing %-escapes inserted with the
> '%i' in the template the %-escape was
> evaluated.
>
> For example, marking %(print (buffer-name)) will be replaced with
> "*Capture*".
>
> I am now wondering if this is intended or not and if this could be
> used as a kind of exploit to run code if someone captures code
> from a website.
Judging from `org-capture-fill-template', this is a feature. Worse,
%(...) placeholders, the most dangerous ones, are always expanded last.
I guess the intent is to fill the Sexp with previous placeholders and
then eval it for a proper result (see, e.g., `org-capture-template's
docstring).
One solution would be to expand recursively Sexp placeholders at the
beginning of `org-capture-fill-template', right after expanding
properties placeholders (i.e., %:property), so as to limit the problem.
We could also remove recursivity for placeholders altogether. It is
buggy anyway (e.g., if a property placeholder introduces another
placeholder, the latter is not expanded).
Question to the ML: is there anyone relying on placeholder recursion?
Regards,
--
Nicolas Goaziou