glue_safe()
and glue_data_safe()
differ from glue()
and glue_data()
in that the safe versions only look up symbols from an environment use
get()
they do not execute any R code. This makes them suitable when used
with untrusted input, such as inputs in a shiny application, where using the
normal functions would allow an attacker to execute arbitrary code.
glue_safe(..., .envir = parent.frame()) glue_data_safe(.x, ..., .envir = parent.frame())
... | [ |
---|---|
.envir | [ |
.x | [ |
"1 + 1" <- 5 # glue actually executes the code glue("{1 + 1}") #> 2 # glue_safe just looks up the value glue_safe("{1 + 1}") #> 5 rm("1 + 1")