The problems with ## in iter() and @dolist

Submitted by javelin on Sun, 2012-02-12 22:54

Using ## in iter() and @dolist (And #$ in switch()) can be dangerous if not treated with care. The problem is that the ## token is replaced /before/ evaluation of the code, not during, as with %-substitutions. This means that if the current list item that takes the place of ## has anything resembling code in it, it will get evaluated. In badly-written code, this can provide a malicious attacker with the ability to run any functions as the object the iter() is on. Obviously, this is bad.
There are several measures you can take to avoid these security holes. The first is to use itext() instead of ## when the list being itered over might contain arbitrary text and code (The results of things like lnum() and lcon() don\'t usually need this, because numbers and dbrefs are safe). The second is to use escape() or secure() on the list argument, (not around the ##\'s). This will escape or remove the special characters that indicate code as opposed to plain text (Brackets, percent signs, etc.).

2001-Jun-11 7:48pm shawnw