@elextr okay it might be hard-ish to quote properly, *but* it's impossible for the user to escape properly. Just plain impossible. If the `%f` expanded to i.e. `foo"bar'baz` or worse, `'foo $(rm -rf ~ 2>/dev/null) bar'` (or without the quotes that are meant to create the injection in case it's surrounded by `'` already). You can `s/quote/escape/` in my comment if you prefer, but that's the same deal.
And yes, we could just not care and hope it's all fine. Not sure if it's very sensible though. --- Reply to this email directly or view it on GitHub: https://github.com/geany/geany/pull/792#issuecomment-185729783
