invokeMethods and echoCommand
See original GitHub issueExpected behavior
When entering a command which contains text to invoke methods, the command is processed (in my case, sent to the server via socket.io). The cmd or method invocations should not fire at this point. In terms of user expectations, the command just typed is not being echoed back - it’s just remaining behind.
Actual behavior
In fact the prompt and the command just entered is echoed back and cmd/method invocations fire immediately. This behavior interferes with entering any text containing cmd/method invocation strings. Furthermore, there is no opportunity to sanitize or escape the entered command before it is echoed back, which means the user’s commandline is a vector for social-engineering attack (getting people to type [[ terminal::pause() ]] for example). This appears to be a “hole” in the ability to use these invocations safely.
My workaround is to turn off echoCommand and echo the prompt + sanitized command via code. I escape brackets thusly and insert zero-width non-join characters: command.replace(/\[/g, '[‌').replace(/\]/g, ']‌');
However this means I must replace all cases where echoCommand: true would apply such as with terminal.read.
Steps to reproduce
In an interpreter with invokeMethods: true; echoCommand: true; enter: [[ terminal::clear() ]]
Browser and OS
firefox 60.8.0esr (64-bit), Debian stretch
Issue Analytics
- State:
- Created 4 years ago
- Comments:8 (5 by maintainers)
Top GitHub Comments
Sorry, you’re right, echo command is invoking methods, it should not execute the command, I was testing with prism enabled that was escaping brackets. This should be easy to fix, because echo have option
exec
that can be set to false.Released in version 2.7.1 will publish to npm soon.