<p><a class="user-mention" data-hovercard-user-id="37333988" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://github.com/aplsimple">@aplsimple</a> please use a recognised format like diff.  Its not clear what you are actually doing, but it appears that the only change is the addition of a call to <code>build_replace_placeholder()</code>.  If thats what you wanted why didn't you just say so instead of a novel nobody read?</p>
<p>Also note I think you have a memory leak because you don't free the strdup of command anywhere.</p>
<p>If you correct that and make a proper pull request with the manual documentation matching the change you might have a chance of the change being accepted.</p>
<p><a class="user-mention" data-hovercard-user-id="9009011" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://github.com/LarsGit223">@LarsGit223</a> certainly if the user set the command setting to <code>%s</code> it will run the selection, but thats the case now, and nowhere does Geany attempt to sanitise commands that result from substitution of placeholders into command strings set by users, and nor should it.  Even if the command was set to the totally innocuous <code>echo %s</code>, a user could select <code>; rm -rf /</code> and be in trouble <g-emoji class="g-emoji" alias="grin" fallback-src="https://assets-cdn.github.com/images/icons/emoji/unicode/1f601.png">😁</g-emoji></p>

<p style="font-size:small;-webkit-text-size-adjust:none;color:#666;">—<br />You are receiving this because you are subscribed to this thread.<br />Reply to this email directly, <a href="https://github.com/geany/geany/issues/1836#issuecomment-383282829">view it on GitHub</a>, or <a href="https://github.com/notifications/unsubscribe-auth/ABDrJ_wD7-Kb0eV10nNvXhTsffPvNcnZks5tqwS0gaJpZM4Td5qs">mute the thread</a>.<img src="https://github.com/notifications/beacon/ABDrJ2uz8mD021hHpTc8kVmtbWXp5LSzks5tqwS0gaJpZM4Td5qs.gif" height="1" width="1" alt="" /></p>
<div itemscope itemtype="http://schema.org/EmailMessage">
<div itemprop="action" itemscope itemtype="http://schema.org/ViewAction">
  <link itemprop="url" href="https://github.com/geany/geany/issues/1836#issuecomment-383282829"></link>
  <meta itemprop="name" content="View Issue"></meta>
</div>
<meta itemprop="description" content="View this Issue on GitHub"></meta>
</div>

<script type="application/json" data-scope="inboxmarkup">{"api_version":"1.0","publisher":{"api_key":"05dde50f1d1a384dd78767c55493e4bb","name":"GitHub"},"entity":{"external_key":"github/geany/geany","title":"geany/geany","subtitle":"GitHub repository","main_image_url":"https://cloud.githubusercontent.com/assets/143418/17495839/a5054eac-5d88-11e6-95fc-7290892c7bb5.png","avatar_image_url":"https://cloud.githubusercontent.com/assets/143418/15842166/7c72db34-2c0b-11e6-9aed-b52498112777.png","action":{"name":"Open in GitHub","url":"https://github.com/geany/geany"}},"updates":{"snippets":[{"icon":"PERSON","message":"@elextr in #1836: @aplsimple please use a recognised format like diff.  Its not clear what you are actually doing, but it appears that the only change is the addition of a call to `build_replace_placeholder()`.  If thats what you wanted why didn't you just say so instead of a novel nobody read?\r\n\r\nAlso note I think you have a memory leak because you don't free the strdup of command anywhere.\r\n\r\nIf you correct that and make a proper pull request with the manual documentation matching the change you might have a chance of the change being accepted.\r\n\r\n@LarsGit223 certainly if the user set the command setting to `%s` it will run the selection, but thats the case now, and nowhere does Geany attempt to sanitise commands that result from substitution of placeholders into command strings set by users, and nor should it.  Even if the command was set to the totally innocuous `echo %s`, a user could select `; rm -rf /` and be in trouble :grin:\r\n"}],"action":{"name":"View Issue","url":"https://github.com/geany/geany/issues/1836#issuecomment-383282829"}}}</script>