lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]


On Sat, Jun 5, 2010 at 6:29 AM, Roberto Ierusalimschy
<roberto@inf.puc-rio.br> wrote:
>> >> Hmm, I must be slow. I can't figure out how to convert a string with represented control characters into a string with actual control characters.
>> >>
>> >> E.g.:
>> >>
>> >> local input = [[ line 1\nline2 ]]
>> >>
>> >> str:gsub("\\(.)", '\%1') -- doesn't work
>> >
>> > control={n="\n", r="\r"} -- fill as needed
>> > str:gsub("\\(.)", control)
>> >
>>
>> What about using loadstring?
>
> What is wrong with the previous soulution (using a 'control' table)?
>
> -- Roberto
>

Personally, I'd rather let Lua handle the escapes, because I know it
knows what to do with them. I'd rather not compile a larger list of
escape sequences and forget some. And the solution posted by Luiz
can't handle \nnn (octal escape) just by adding it to the list,
because the pattern only matches \ followed by one character.


As far as security goes, my solution was really just a proof of
concept, and I wouldn't want to use it with untrusted data. You could
setfenv() the loaded chunk, but then you're still vulnerable to
something like reverse_q[[" .. (function() while true do end end)() ..
"]] (which comes out to be 'return "" .. (payload)() .. ""')

~Jonathan