From: Albert Krewinkel <albert+pandoc-9EawChwDxG8hFhg+JK9F0w@public.gmane.org>
To: pandoc-discuss-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
Subject: Re: state of the art in pandoc CLI wrappers?
Date: Wed, 18 May 2022 23:13:39 +0200 [thread overview]
Message-ID: <87tu9m8rxg.fsf@zeitkraut.de> (raw)
In-Reply-To: <845cec37-32af-1a31-685a-dabc3d42b314-T1oY19WcHSwdnm+yROfE0A@public.gmane.org>
Joseph Reagle <joseph.2011-T1oY19WcHSwdnm+yROfE0A@public.gmane.org> writes:
> Does Quarto allow you to specify filters or csl files in the document
> itself? For example, I like to use the pantable filter in some
> documents but not all -- it's too slow for that.
See <https://quarto.org/docs/authoring/filters.html>
CSL can be set via metadata, no wrapper needed for that.
> I would worry about a document compromised on a webhost and then
> synced locally compromising my local machine, so I appreciate pandoc's
> constraint against running arbitrary filters from the document's
> metadata.
Pandoc follows the design principle that, if an attacker can control a
document but not the command that's being run, then the worst they
should be able to do is cause pandoc to hang. On the other hand, tools
like Quarto or Jupyter Notebooks treat documents as programs; the
assumption that anything can happen is already built-in. That's why
running arbitrary filters is not a problem under their thread model.
--
Albert Krewinkel
GPG: 8eed e3e2 e8c5 6f18 81fe e836 388d c0b2 1f63 1124
prev parent reply other threads:[~2022-05-18 21:13 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-05-18 13:51 Joseph Reagle
[not found] ` <d7b0f530-f434-02f2-70fa-5eef2347d02d-T1oY19WcHSwdnm+yROfE0A@public.gmane.org>
2022-05-18 14:45 ` Albert Krewinkel
[not found] ` <87v8u2aoee.fsf-9EawChwDxG8hFhg+JK9F0w@public.gmane.org>
2022-05-18 15:06 ` BPJ
2022-05-18 17:07 ` Joseph Reagle
[not found] ` <845cec37-32af-1a31-685a-dabc3d42b314-T1oY19WcHSwdnm+yROfE0A@public.gmane.org>
2022-05-18 21:06 ` John MacFarlane
2022-05-18 21:13 ` Albert Krewinkel [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87tu9m8rxg.fsf@zeitkraut.de \
--to=albert+pandoc-9eawchwdxg8hfhg+jk9f0w@public.gmane.org \
--cc=pandoc-discuss-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).