Kjetil Torgrim Homme wrote:
On Mon, 2007-04-09 at 20:20 +0100, Alexey Melnikov wrote:
Aaron Stone wrote:
So a user can supply a variable that expands into valid options or url
syntax. I do think we have to prevent this.
New ":urlencode" modifier to the set action?
what document should add such a modifier?
I was thinking about Sieve notify.
I'd like to note that it is possible to do this securely, although it's
not convenient. e.g.
if string :matches "${var}" "*&*" {
set "var" "${1}%26${2}";
no, scratch that, we don't have recursion or other looping, so it won't
work for values containing two ampersands. it would be tempting to add
a replace action:
replace "var" "&" "%26";
we could allow MATCH-TYPE for more advanced replacements, e.g.
replace :matches "var" "\\?" "${1}";
would replace a backslash followed by an arbitrary character by that
arbitrary character.
I don't have a real use case for this, so please feel free to disregard
the suggestion.
I do like to have more powerful string operations in Sieve, but I can't
think of a use case either ;-).
getting back to the issue at hand, I think it would be better to extend
the size of the notify namespace. we could have
${notify.quote.subject} (turn «hey "you"» into «"hey \"you\""»)
${notify.urlencode.subject} (turn above string into «hey%20"you"»)
${notify.plain.subject} (verbatim value)
we could also turn the order around, e.g.
${notify.subject.plain}
${notify.subject.urlencode}
which allows us to choose one of them as a "default" when the user
writes just ${notify.subject}.
I like the latter suggestion more.
However, I am still not clear how would you tie this to Sieve notify?
Are you suggesting to abandon :message, etc.?