add --sanitize option#3729
Conversation
|
For a bit of context on why I introduced The syntax highlighting definitions we use expect plain source code as its input. If bat tried to syntax highlight source code that was already highlighted with ANSI escape sequences, it would slow down considerably and produce an incorrect highlighting output. Primarily, it was meant to support using At the same time, I also added an The reason it was named Adding more control sequences to strip out is a very nice improvement and I would absolutely love to see that added, but I would prefer if the control character replacement was a superset of From a UX perspective, I think having @keith-hall, thoughts? In any case, though, awesome work! |
|
Completely agree 👍 |
|
Alright I will make this a separate option that uses the existing filter and extends it to all relevant control characters. |
|
This should be ready to merge now |
|
I fixed the merge conflict and squashed the commits. |
This adds an alias for
--strip-ansiand enforces more strict sanitation.--strip-ansiis currently the only option to handle untrusted data, but the name is confusing and does not fully reflect what the code does and it is also incomplete for the purpose of sanitation.This PR adds an alternative to the
--strip-ansioption named--sanitizeit extends the filtered characters to cover all relevant sequences that could spoof content or trigger terminal commands.
Specifically the added changes are:
�) (line-overwrite forgery).�) (charset-shift forgery).�) (RI is a cursor-up overwrite vector).�).�) (content-spoofing / Trojan-Source vector).CRLF, FF, tab, newline pass through unchanged.
auto-mode plain-text carve-out preserved. Loop-through cat-mode preserved.