From mboxrd@z Thu Jan 1 00:00:00 1970 From: Thomas Preindl Subject: Org campture recursively expands %-escapes Date: Sat, 21 Nov 2015 22:06:16 +0000 Message-ID: Mime-Version: 1.0 Content-Type: multipart/alternative; boundary=001a114b42680a1249052514348b Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:36448) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1a0GIe-0001bx-E3 for emacs-orgmode@gnu.org; Sat, 21 Nov 2015 17:06:29 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1a0GId-0002hY-H7 for emacs-orgmode@gnu.org; Sat, 21 Nov 2015 17:06:28 -0500 Received: from mail-wm0-x231.google.com ([2a00:1450:400c:c09::231]:37174) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1a0GId-0002hQ-7J for emacs-orgmode@gnu.org; Sat, 21 Nov 2015 17:06:27 -0500 Received: by wmww144 with SMTP id w144so61566704wmw.0 for ; Sat, 21 Nov 2015 14:06:26 -0800 (PST) List-Id: "General discussions about Org-mode." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-orgmode-bounces+geo-emacs-orgmode=m.gmane.org@gnu.org Sender: emacs-orgmode-bounces+geo-emacs-orgmode=m.gmane.org@gnu.org To: emacs-orgmode@gnu.org --001a114b42680a1249052514348b Content-Type: text/plain; charset=UTF-8 Hi everyone, setting up my capture templates to work with a new Chrome extension I noticed that when i mark some text containing %-escapes inserted with the '%i' in the template the %-escape was evaluated. For example, marking %(print (buffer-name)) will be replaced with "*Capture*". I am now wondering if this is intended or not and if this could be used as a kind of exploit to run code if someone captures code from a website. Is there a way to prevent this? I thought about escaping the string, but I would have to change the chrome extension or maybe is it possible to escape it somehow in the template? Here is my template: ("p" "org-protocol-Ch-marked" entry (file refile-path) "* %:description\n %U\n %:link\n #+BEGIN_QUOTE\n %i\n #+END_QUOTE" :immediate-finish t :empty-lines-after 1) br, Thomas --001a114b42680a1249052514348b Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Hi everyone,

setting up my capture temp= lates to work with a new Chrome extension I noticed that when i mark some t= ext containing %-escapes inserted with the '%i' in the template the= %-escape was
evaluated.

For example, ma= rking %(print (buffer-name)) will be replaced with
"*Capture= *".

I am now wondering if this is intended or= not and if this could be=C2=A0
used as a kind of exploit to run = code if someone captures code
from a website.

Is there a way to prevent this? I thought about escaping the string, = but I would have to change the chrome extension or maybe is it possible to = escape it somehow in the template?

Here is my temp= late:
("p" "org-protocol-Ch-marked" entry (fi= le refile-path)
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0"= * %:description\n =C2=A0%U\n =C2=A0%:link\n =C2=A0#+BEGIN_QUOTE\n =C2=A0%i\= n =C2=A0#+END_QUOTE" =C2=A0:immediate-finish t :empty-lines-after 1)

br,
Thomas
--001a114b42680a1249052514348b--