Some Perl 5 programs take a regex (in string form) as input, and simply
interpolate it into a regex.
In Perl 6, you'd do that as
my $re = rx/ <$input> /;
But since $input can contain closures, arbitrary code can be executed.
I'd like to propose a way to compile a string to a regex which doesn't
allow code execution.
When the compiler compiles a regex embedded in a normal Perl 6 program,
it somehow has to know about lexical scopes for variable
(non)-interpolation, and about the outer language to parse {...} and
<{...}> closures. So I'd like an API which resets theses environmental
informations.
For example
my $rx = Regex.new(:string('abc|d'), :safe);
could compile the string 'abc|d' to a regex, disallowing references to
external variables, {...} and <{...}> closures and code in the form of
:my $x = somecode();
If the string is tainted, :safe could be enabled by default.
Do you think it's a good idea? Do the implementers think it's doable
with reasonable effort?
Moritz
