I am trying to parse untrusted strings and represent in a form that would be safe to execute.
So assuming as-echo.sh defined as below for example: cmd="echo" for a in "$@" do cmd="$cmd '${a/\'/''}'" done echo "$cmd" eval "$cmd" Then: as-echo.sh 'a' '$(foobar)' 'c' would produce: echo 'a' '$b' 'c' a $b c Is my code safe, or can someone maliciously choose arguments to as-echo.sh that could cause it (as-echo.sh) to do something other than write to stdout? Can anyone point me to best practice for this kind of protection in bash? jon.