From 946851c7865a864543497851560f9ee8365c12fe Mon Sep 17 00:00:00 2001
From: Tobias Girstmair <tobi@isticktoit.net>
Date: Wed, 29 May 2024 20:33:03 +0200
Subject: [PATCH] make highlight strip control characters

excluding \r \n, of course. this could easily have been a seperate
output filter (something like `tr -d '[:cntrl:]'` modulo CR/LF).
---
 contrib/highlight | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/contrib/highlight b/contrib/highlight
index 34d390d..1d3458a 100755
--- a/contrib/highlight
+++ b/contrib/highlight
@@ -36,8 +36,15 @@ def say(*args):
     sys.stdout.buffer.write(b"".join(args)+b"\n")
     sys.stdout.buffer.flush()
 
+def sanitize(s):
+    # removes control characters so malicious actors can't mess up our terminal
+    # with escape sequences. this also removes formatting codes.
+    return re.sub(rb"[\001-\011\013\014\016-\037\177\x80-\x9F]", b"", s)
+
 myself = None
 for line in sys.stdin.buffer:
+    line = sanitize(line)
+
     [nick, user, host], command, arguments = parse(line)
 
     if command in (b"PRIVMSG", b"NOTICE") and len(arguments) == 2 and nick:
-- 
2.39.3