diff options
| author | Nathaniel Wesley Filardo <nwf@cs.jhu.edu> | 2014-05-29 02:17:58 -0400 |
|---|---|---|
| committer | Nathaniel Wesley Filardo <nwf@cs.jhu.edu> | 2014-05-29 16:09:20 -0400 |
| commit | 394cb4ffeab6d59ffc31393ffed64a044d036887 (patch) | |
| tree | 5691cd7e731d8918c030b54e1e4b2d483b98c0b0 /readme.md | |
| parent | 19bb3834ac44372bd6c86f496b7fb12e65a70821 (diff) | |
| download | xmobar-394cb4ffeab6d59ffc31393ffed64a044d036887.tar.gz xmobar-394cb4ffeab6d59ffc31393ffed64a044d036887.tar.bz2 | |
Add <raw=len:str/> tags for handling tainted text
Diffstat (limited to 'readme.md')
| -rw-r--r-- | readme.md | 16 |
1 files changed, 16 insertions, 0 deletions
@@ -202,6 +202,22 @@ For the output template: (left mouse button). Using old syntax (without backticks surrounding `command`) will result in `button` attribute being ignored. +- `<raw=len:str/>` allows the encapsulation of arbitrary text `str` (which + must be `len` `Char`s long, where `len` is encoded as a decimal sequence). + Careful use of this and `UnsafeStdinReader`, for example, permits window + managers to feed xmobar strings with `<action>` tags mixed with un-trusted + content (e.g. window titles). For example, if xmobar is invoked as + + ```xmobar -c "[Run UnsafeStdinReader]" -t "%UnsafeStdinReader%"``` + + and receives on standard input the line + + ```<action=`echo test` button=1><raw=41:<action=`echo mooo` +button=1>foo</action>/></action>``` + + then it will display the text ```<action=`echo mooo` button=1>foo</action>```, + which, when clicked, will cause `test` to be echoed. + Other configuration options: `font` |