Hi everyone,

setting up my capture templates to work with a new Chrome extension I
noticed that when i mark some text containing %-escapes inserted with the
'%i' in the template the %-escape was
evaluated.

For example, marking %(print (buffer-name)) will be replaced with
"*Capture*".

I am now wondering if this is intended or not and if this could be
used as a kind of exploit to run code if someone captures code
from a website.

Is there a way to prevent this? I thought about escaping the string, but I
would have to change the chrome extension or maybe is it possible to escape
it somehow in the template?

Here is my template:
("p" "org-protocol-Ch-marked" entry (file refile-path)
         "* %:description\n  %U\n  %:link\n  #+BEGIN_QUOTE\n  %i\n
 #+END_QUOTE"  :immediate-finish t :empty-lines-after 1)

br,
Thomas