lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]


One suggestion for the unescape is to first use loadstring, and then use string.dump to verify that it contains no harmful code.
Basically, you just need to check that the function consists of two opcodes. one LOADK for the string data, and one RETURN, which should be fairly easy to verify.

On Sun, Jun 6, 2010 at 2:37 PM, Shmuel Zeigerman <shmuz@013net.net> wrote:
Erik Lindroos wrote:
   The above function is not fully correct but it is 100% secure. No
   input can cause the execution of 'str' itself.

Except of course something like:

print(reverse_q("\\\\\" .. (1+1) -- \\"))

Oops. I stand corrected. Time to fix some of my own code. Thanks.

--
Shmuel