t-wissmann
commented
6 years ago One must not use a plain %% with an old lemonbar version, because it might cause security issues.
If untrusted text is displayed in the lemonbar (e.g. a window title of the browser window), then the untrusted text can inject arbitrary lemonbar commands. E.g. a browser window title %{A1:exec xterm:}CLICK%{A} is then encoded only to %%{A1:exec xterm:}CLICK%%{A} and the %{A… is interpreted by lemonbar older than 1411d260a4c6956ff5a3699ee9bfd5b275209fe3:
{ echo '%%{A1:exec xterm:}CLICK%%{A}'; cat; } | lemonbar -a 10This command will print exec xterm when clicking CLICK.
I made the old behaviour configurable in 83adbcec4fd6b3b5affa45f0480f5a0213b74261.
With an up-to-date lemonbar, escaping % as %%{} adds an additional {}, but %% alone works fine.
See https://github.com/LemonBoy/bar/commit/1411d260a4c6956ff5a3699ee9bfd5b275209fe3