[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: Re: Parsing strings written by string.format("%q")
- From: Kim Alvefur <zash@...>
- Date: Thu, 24 Nov 2016 22:36:31 +0100
On 2016-11-24 22:07, Jerome Vuarand wrote:
> 2016-11-24 22:03 GMT+01:00 David Given <dg@cowlark.com>:
>> On 23/11/16 21:35, Soni L. wrote:
>>> [...]
>>> It's usually called "someone else".
>>> https://github.com/SoniEx2/Stuff/blob/master/lua/String.lua
>>
>> Thanks, but I was rather hoping for something that didn't involve so
>> much interpreted Lua; it's not that I'm worried about the size, but
>> performance is important here.
>>
>> And I don't have LPEG.
>>
>> I'm tending towards the compile-and-execute method right now, actually.
>> It's ugly, but it's also a reasonably trusted environment, and it would
>> let me combine it with some other code (for parsing numbers and booleans).
>
> I personally use dofile/loadstring for that kind of things. If you're
> afraid you can add some basic safety checks, like making sure the
> string starts and end with double quote, and doesn't contain any
> unescaped double quote.
>
I too use load{file,string} for this, in an empty environment. This
doesn't prevent doing funny things like this tho:
""..(function() while true do end end)()..""
It would be pretty nice to have a subset of the Lua parser available for
data-only loading. Ie only literal tables, numbers, strings.
Functions, loops, conditionals etc disallowed.
--
Kim "Zash" Alvefur
Attachment:
signature.asc
Description: OpenPGP digital signature
