From 7e09f662cbe7f76753a936bb1aff1952489a9d3c Mon Sep 17 00:00:00 2001
From: Kim Alvefur <zash@zash.se>
Date: Sat, 3 Jul 2021 04:29:25 +0200
Subject: util.format: Allow newlines but ensure following lines are indented

This should a) prevent injection of text that looks like legitimate log
lines and b) not mangle tracebacks.
---
 util/format.lua | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'util/format.lua')

diff --git a/util/format.lua b/util/format.lua
index 52388081..2a29c4f3 100644
--- a/util/format.lua
+++ b/util/format.lua
@@ -60,7 +60,7 @@ local function format(formatstring, ...)
 				args[i] = dump(arg);
 				spec = "%s";
 			elseif option == "s" then
-				args[i] = tostring(arg):gsub("[%z\1-\31\127]", control_symbols);
+				args[i] = tostring(arg):gsub("[%z\1-\8\11-\31\127]", control_symbols):gsub("\n\t?", "\n\t");
 			elseif type(arg) ~= "number" then -- arg isn't number as expected?
 				args[i] = tostring(arg);
 				spec = "[%s]";
-- 
cgit v1.2.3