Hi Maxim Thanks for your advice, which I appreciate very much.
Maxim Nikulin <maniku...@gmail.com> writes: > On 03/03/2021 09:31, Juan Manuel Macías wrote: >> (start-process-shell-command "zathura" nil (concat "zathura " >> clean-path >> " -P " >> pag >> (when str >> (format " >> -f '%s' " str))))))) > > Please, do not forget to pass stings coming from user input through > shell-quote-argument. There is combine-and-quote-strings function but > its docstring tells that it is not safe enough. Ideally shell should > be completely avoided in such cases and arguments should be passed as > a list directly to exec. https://xkcd.com/327/ So, maybe it would look better like this (`start-process' instead of `start-process-shell-command')?: #+begin_src emacs-lisp (org-link-set-parameters "pdf-pag" :follow (lambda (path) (let ((pag (if (string-match "::\\([1-9]+\\):*:*\\(.*\\)" path) (format "--page=%s" (match-string 1 path)) (error "no pages"))) (clean-path (expand-file-name (replace-regexp-in-string "::.+" "" path))) (str (when (string-match "::\\([1-9]+\\)::\\(.+\\)" path) (format "--find=%s" (match-string 2 path))))) (if str (start-process "zathura" nil "/usr/bin/zathura" clean-path pag str) (start-process "zathura" nil "/usr/bin/zathura" clean-path pag))))) #+end_src Best reagards, Juan Manuel