-
-
Save creationix/2502704 to your computer and use it in GitHub Desktop.
| // Implement bash string escaping. | |
| var safePattern = /^[a-z0-9_\/\-.,?:@#%^+=\[\]]*$/i; | |
| var safeishPattern = /^[a-z0-9_\/\-.,?:@#%^+=\[\]{}|&()<>; *']*$/i; | |
| function bashEscape(arg) { | |
| // These don't need quoting | |
| if (safePattern.test(arg)) return arg; | |
| // These are fine wrapped in double quotes using weak escaping. | |
| if (safeishPattern.test(arg)) return '"' + arg + '"'; | |
| // Otherwise use strong escaping with single quotes | |
| return "'" + arg.replace(/'+/g, function (val) { | |
| // But we need to interpolate single quotes efficiently | |
| // One or two can simply be '\'' -> ' or '\'\'' -> '' | |
| if (val.length < 3) return "'" + val.replace(/'/g, "\\'") + "'"; | |
| // But more in a row, it's better to wrap in double quotes '"'''''"' -> ''''' | |
| return "'\"" + val + "\"'"; | |
| }) + "'"; | |
| } |
Oh, it seems I am gravely mistaken.
Kris, that should work, I just want something that doesn't bloat quite so fast. My application will often end up double and triple escaping values. I tested this function with a full line of dangerous strings and recursively fed it to itself 10 times and the resultant string was only ~300,000 chars. Minor modifications to the code (like changing <3 to <4) blew it up in the millions.
@creationix Yeah, I noticed on closer inspection that was what you were driving at. Definitely a good idea to get a Bash expert to verify your safe character sets. Alas that I’m not the one.
I did test every character one at a time, but initially I wrongly put {} in the first category. It seems that bash is extremely context sensitive and while echo a{b}c is safe, echo a{1..999}c is not! I read as many bash manuals as I could find and I think this is safe, but I'd love an expert review.
@kriskowal Right on... I thought I knew sh/bash OK, but I'm finding surprises in playing with this. Bash is wacky... which begs the question, why are we still using it? It really should be deprecated in favor of A) a very simple interactive shell and B) a real language for serious scripting (Nodejs is great :-)
@creationix Speaking of context, you should add a usage example... I think I know what you're up to, and it's dead simple, but...
I think you’ll find it much simpler to escape the special characters in single quotes.