invokeMethods and echoCommand

Expected behavior

When entering a command which contains text to invoke methods, the command is processed (in my case, sent to the server via socket.io). The cmd or method invocations should not fire at this point. In terms of user expectations, the command just typed is not being echoed back - it’s just remaining behind.

Actual behavior

In fact the prompt and the command just entered is echoed back and cmd/method invocations fire immediately. This behavior interferes with entering any text containing cmd/method invocation strings. Furthermore, there is no opportunity to sanitize or escape the entered command before it is echoed back, which means the user’s commandline is a vector for social-engineering attack (getting people to type [[ terminal::pause() ]] for example). This appears to be a “hole” in the ability to use these invocations safely.

My workaround is to turn off echoCommand and echo the prompt + sanitized command via code. I escape brackets thusly and insert zero-width non-join characters: command.replace(/\[/g, '[‌').replace(/\]/g, ']‌');

However this means I must replace all cases where echoCommand: true would apply such as with terminal.read.

Steps to reproduce

In an interpreter with invokeMethods: true; echoCommand: true; enter: [[ terminal::clear() ]]

Browser and OS

firefox 60.8.0esr (64-bit), Debian stretch