The safe mode would be a good idea, banning # is a bit rigorous, as it is needed for various tweaks.
On Mon, May 25, 2009 at 6:09 AM, weblily <[email protected]> wrote: > Hi Han-Wen, > > > thanks for your response. I am sorry, I could confirm it. There are some > more XSS related security issues open. It's really a hell. But I shall try. > > Would it help to use LilyPond's safe mode to address this problem? How safe > is the safe mode anyway? There are so many places where you should care for > the right kind of escaping ... > > Would it be an effective idea to ban the "#"-sign from input altogether? > > I'm still a newbee concerning LilyPond. So please, don't mind me asking > stupid questions. > > > Best regards, > > Johannes aka. Weblily > > > > Han-Wen Nienhuys schrieb: >> >> this is a cute idea, but you need to do something wrt security, >> >> >> \header { title = #(ly:gulp-file "/lib/libc.so") } >> >> appears to actually work rather than raise a security warning. >> >> > > -- Han-Wen Nienhuys - [email protected] - http://www.xs4all.nl/~hanwen _______________________________________________ lilypond-user mailing list [email protected] http://lists.gnu.org/mailman/listinfo/lilypond-user
