Hello, Thomas Preindl <thomas.prei...@gmail.com> writes:
> setting up my capture templates to work with a new Chrome extension I > noticed that when i mark some text containing %-escapes inserted with the > '%i' in the template the %-escape was > evaluated. > > For example, marking %(print (buffer-name)) will be replaced with > "*Capture*". > > I am now wondering if this is intended or not and if this could be > used as a kind of exploit to run code if someone captures code > from a website. Judging from `org-capture-fill-template', this is a feature. Worse, %(...) placeholders, the most dangerous ones, are always expanded last. I guess the intent is to fill the Sexp with previous placeholders and then eval it for a proper result (see, e.g., `org-capture-template's docstring). One solution would be to expand recursively Sexp placeholders at the beginning of `org-capture-fill-template', right after expanding properties placeholders (i.e., %:property), so as to limit the problem. We could also remove recursivity for placeholders altogether. It is buggy anyway (e.g., if a property placeholder introduces another placeholder, the latter is not expanded). Question to the ML: is there anyone relying on placeholder recursion? Regards, -- Nicolas Goaziou
