You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
If someone could force user-input so that a := "%v" then color.RedString() would try to interpret the string as a format string, which would be an error. I suspect this could be leveraged to be a security issue.
The README.md should be clear that color.FOOString(fmt.Sprintf(a, b)) is an anti-pattern, and that only color.FOOString(a,b) is needed.
IMHO any function that accepts a format string should have a name that ends with f, such as color.RedStringf(). I realize this is a breaking change, and I hope you consider this change in v2.
The text was updated successfully, but these errors were encountered:
I recently saw this being submitted in a PR:
That works, but this is better:
If someone could force user-input so that
a := "%v"thencolor.RedString()would try to interpret the string as a format string, which would be an error. I suspect this could be leveraged to be a security issue.The README.md should be clear that
color.FOOString(fmt.Sprintf(a, b))is an anti-pattern, and that onlycolor.FOOString(a,b)is needed.IMHO any function that accepts a format string should have a name that ends with
f, such ascolor.RedStringf(). I realize this is a breaking change, and I hope you consider this change in v2.The text was updated successfully, but these errors were encountered: