The above function is not fully correct but it is 100% secure. No input can cause the execution of 'str' itself. -- Shmuel