Re: Sieve notify options and escaping

[Aaron Stone <aaron@xxxxxxxxxxxxxx>]

On Tue, 2007-03-27 at 14:03 +0200, Kjetil Torgrim Homme wrote:
> On Mon, 2007-03-26 at 17:53 +0000, Aaron Stone wrote:
> > Do we have the option for "lazy evaluation" of variable expansion? If the
> > expansion takes place inside the action, we have no trouble. If it takes
> > place prior to calling the action, we need escaping.
> 
> [variables] says:
> 
> 3.  Interpretation of strings
>    [...]
>    Tests or actions in future extensions may need to access the
>    unexpanded version of the string argument and, e.g., do the expansion
>    after setting variables in its namespace.  The design of the
>    implementation should allow this.
> 
> so the door is kept open, but the extension needs to be explicit about
> it.  notice that a separate namespace should be used for such "dynamic"
> or "internal" variables, in other words it should be ${notify.summary},
> not just ${summary}.  for normal variables without a namespace, the
> behaviour is:
> 
>    The expanded string MUST use the variable values which are current
>    when control reaches the statement the string is part of.

So a user can supply a variable that expands into valid options or url
syntax. I do think we have to prevent this.

Aaron