> >
> > I was wondering, is there a general way to escape the string entered
> > by the user, to prevent code injection into command line?
>
> Take a look at the "string-escape" encoding:
>
> >>> evil = "'; rm -rf /;"
> >>> command = "echo '%s'"
> >>> print command % evil.encode('string-escape')
In <[EMAIL PROTECTED]>, Ksenia
Marasanova wrote:
> I have a simple ecard creation script on a website, where user can add
> text to a graphic. I use ImageMagick for it:
>
> # template_file => path to image template file
> # new_file => path to generated file
> # text => user input
> command = '''
