From a6bc5fd993026d4efc5f47524b7a09fae41be4fa Mon Sep 17 00:00:00 2001
From: Tobias Girstmair <tobi@isticktoit.net>
Date: Mon, 20 May 2024 18:44:59 +0200
Subject: [PATCH] document non-filtering of escape sequences

---
 spec.txt | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/spec.txt b/spec.txt
index f5476a7..6fc7e66 100644
--- a/spec.txt
+++ b/spec.txt
@@ -33,6 +33,14 @@ sets up an irc connection, and not much more.
     - relatively secure password handling!
 
 
+## vulnerabilities
+
+- we don't guard against escape sequences in responses. when used interactively,
+  a bad actor could send malicious sequences causing terminal corruption.
+  causing data leaks (by querying terminal information) is unlikely, as the
+  responses won't be proper irc PRIVMSGs.
+
+
 ## minor TODOs
 
 - check if port is valid
-- 
2.39.3