Closed terashim closed 11 months ago
Thanks, this is a great idea! Would you be open to creating a PR for introducing formatter_glue_safe
? I will also try to look into this.
Thank you. I created the PR https://github.com/daroczig/logger/pull/113.
merged via #126 -- thanks!!!
Though
glue()
is a powerful tool to format text messages, it can cause vulnerabilities when you use it with untrusted data. For example, if a Shiny app usesformatter_glue()
to log its user input parameter, an attacker can execute arbitrary R code on the server by submitting malicious data.glue_safe()
is designed to handle untrusted data safely in such a case. It does not execute R code but substitutes variable names by their values.It would be great if we could choose a formatter that uses glue_safe() instead of glue() to avoid security problems.