lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index] 

Sorry, but this seems to me to be an awful approach to a secure replace().

If I need to collect tons of test cases, make sure all escape
sequences is valid, and no further characters being valid, I am doing
work that is BOUND to have a bug or two which can have horrible
consequences depending on the contest.

Sure, it "educates" me, but it is WAY too complicated and dangerous to
be recommended as standard practise for a safe replace() to everyone -
someone WILL screw it up, and why risk that?

It seems a MUCH better idea to me to simply provide one from the
start, to avoid all those possible pitfalls. Education shouldn't be
enforced onto people at the risk of safe code. This isn't C, folks.


On Thu, Aug 21, 2014 at 8:16 PM, Petite Abeille
<petite.abeille@gmail.com> wrote:
>
> On Aug 21, 2014, at 4:54 PM, Jonas Thiem <jonasthiem@googlemail.com> wrote:
>
>> About the %p pattern... I still cannot judge if it is safe for all circumstances.
>
> Then find out by, for example, educating yourself about what that pattern means.
>
> Reading the documentation might help to get you started:
>
> http://www.lua.org/manual/5.2/manual.html#6.4.1
>
> • %p: represents all punctuation characters.
>
> Then, find out what are all the 'magic characters’, in the same section of the documentation:
>
> ^$()%.[]*+-?
>
> Then combine your first discovery, the ‘%p’ pattern, with the second one, the '^$()%.[]*+-? ‘ magic characters, and see how they interact for the purpose of escaping them:
>
> print( ( '^$()%.[]*+-?' ):gsub( '%p', '%%%1' ) )
>
>> %^%$%(%)%%%.%[%]%*%+%-%?
>
> What is the above pattern doing? Are all the 'magic characters’ properly escaped? Are all the escape sequences valid? Is this all behaving properly as a ‘plain’  pattern, with no characters being considered magic? Any drawbacks? Any edge cases? Yes? No? Perhaps? Depend?
>
> You got plenty of test cases, right?
>
> Don’t idly ‘judge’. Learn instead.
>
>
>
>
>
>