There are some well-known vulnerabilities that are a result of deserializing untrusted inputs. Are editor snips restrictive enough that their deserialization is safe? After all, they are already loaded when a file is opened in DrRacket, and a file on the disk may originate from an untrusted source. In particular, I would be doing something like this (snip-class-name, bytes, and snip-pos are from an untrusted source). The whole thing will be wrapped in an exception handler:
(define snip-class (send (get-the-snip-class-list) find snip-class-name)) ; Also handle case where this returns #f (define bytes-base-in (make-object editor-stream-in-bytes-base% bytes)) (define editor-stream-in (make-object editor-stream-in% bytes-base-in)) (define new-snip (send snip-class read editor-stream-in)) (send text insert new-snip snip-pos) Daniel -- You received this message because you are subscribed to the Google Groups "Racket Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to racket-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/racket-users/153d1c59-0343-4ed9-805b-2909499ec98fn%40googlegroups.com.