On 14/11/2021 22:28, Daniel Kraus wrote:
* lisp/ob-clojure.el: Add support for babashka and nbb backend. --- +(defun ob-clojure-escape-quotes (str-val) + "Escape quotes for STR-VAL." + (replace-regexp-in-string "\"" "\\\"" str-val 'FIXEDCASE 'LITERAL)) + +(defun ob-clojure-eval-with-babashka (bb expanded) + "Evaluate EXPANDED code block using BB (babashka or nbb)." + (let ((escaped (ob-clojure-escape-quotes expanded))) + (shell-command-to-string + (concat bb " -e \"" escaped "\""))))
Does not it an open door for security vulnerabilities? Consider a string somewhere in the code: "`echo arbitrary code execution`". Only outer quotes are escaped.
