Re: [hackers] [st][PATCH] in bracketed paste mode, filter escapes from pasted data

From: Jann Horn <>
Date: Mon, 6 Nov 2017 12:27:57 +0100

On Fri, Nov 3, 2017 at 12:13 AM, Hiltjo Posthuma <> wrote:
> On Thu, Nov 02, 2017 at 10:42:05PM +0100, Jann Horn wrote:
>> Browsers permit copied data to contain escape characters. To prevent
>> malicious websites (or other sources of malicious text) from faking a
>> bracketed paste end sequence, filter escape characters from pasted text in
>> bracketed paste mode.
>> xterm unconditionally filters out a bunch of control characters, including
>> \033, in pasted data (see removeControls() in button.c in the xterm
>> sources), so I think that this change should be fine from a compatibility
>> standpoint.
> This seems too specific to me (the browser use-case). It won't be applied.

Don't you think that it is common for users to copy-paste shell commands from
sites like stackoverflow or the Arch Linux wiki? These sites give their users
some degree of control over formatting.

I occasionally copy shell commands, URLs and things like that from
my browser into a shell, and to make that secure, I have to first paste
the copied text into a text editor and make sure it is what I intended to copy.
This is a hassle, and I'm not sure whether everyone knows that it is necessary.
Received on Mon Nov 06 2017 - 12:27:57 CET

This archive was generated by hypermail 2.3.0 : Mon Nov 06 2017 - 12:36:20 CET