The command string escape allows bypassing limitations of the scripting language where needed, e.g. to store a list in a single string (allowing, but discouraging, nested list semantics) with
set var (printf "%s " (string escape $PATH))
As of 2.4.0, however, there is no safe way to unescape such values. While
set list_var (eval "printf '%s\n' $var")
unpacks the quoted list into an actual list, but will happily evaluate any commands smuggled into a manipulated $var as well. A string unescape subcommand would fix this.
fish version installed (fish --version): 2.4.0-111-g7356987
OS/terminal used: Windows 10, Mintty
The command
string escapeallows bypassing limitations of the scripting language where needed, e.g. to store a list in a single string (allowing, but discouraging, nested list semantics) withAs of 2.4.0, however, there is no safe way to unescape such values. While
unpacks the quoted list into an actual list, but will happily evaluate any commands smuggled into a manipulated
$varas well. Astring unescapesubcommand would fix this.sh -c 'env HOME=$(mktemp -d) fish')?fish version installed (
fish --version): 2.4.0-111-g7356987OS/terminal used: Windows 10, Mintty