daroczig
commented
2 years ago Thanks, this is a great idea! Would you be open to creating a PR for introducing formatter_glue_safe? I will also try to look into this.
Closed terashim closed 11 months ago
daroczig
commented
2 years ago Thanks, this is a great idea! Would you be open to creating a PR for introducing formatter_glue_safe? I will also try to look into this.
terashim
commented
2 years ago Thank you. I created the PR https://github.com/daroczig/logger/pull/113.
daroczig
commented
11 months ago merged via #126 -- thanks!!!
Though
glue()is a powerful tool to format text messages, it can cause vulnerabilities when you use it with untrusted data. For example, if a Shiny app usesformatter_glue()to log its user input parameter, an attacker can execute arbitrary R code on the server by submitting malicious data.glue_safe()is designed to handle untrusted data safely in such a case. It does not execute R code but substitutes variable names by their values.It would be great if we could choose a formatter that uses glue_safe() instead of glue() to avoid security problems.