Add missing documentation for prompt pasting in REPL modes other than julia>
#49377
Conversation
| without having to scrub away prompts and outputs. This feature is enabled by default but can be | ||
| disabled or enabled at will with `REPL.enable_promptpaste(::Bool)`. If it is enabled, you can try it | ||
| out by pasting the code block above this paragraph straight into the REPL. This feature does not | ||
| work on the standard Windows command prompt due to its limitation at detecting when a paste occurs. | ||
|
|
There was a problem hiding this comment.
Since pasting leads directly to code execution, perhaps it'd be good to add a warning that only trusted text should be pasted?
There is prior art (http://thejh.net/misc/website-terminal-copy-paste) for the dangers of this kind of thing after all.
There was a problem hiding this comment.
I was thinking the same thing, but assumed that that had probably been discussed previously.
My suggestion would be for the prompt pasting to be initially disabled but if you do trigger, you are prompted to either allow pasting this one time, enable the feature without prompting in the future, or cancel the paste.
Or to avoid having to have a different means of persisting the always-paste response, maybe make that opt-in via an environment variable or command that can be included in startup.jl. The ergonomics of those aren't great for beginners, though.
There was a problem hiding this comment.
I guess it depends on the environment. I know that the "new" Windows Terminal app does that kind of warning by itself already, so having a similar warning again in julia itself could be quite annoying. I didn't mean to start a discussion about how to do that safer in general though - just that a warning like
!!! warn "Command Injection"
Only paste text you trust & know to be safe to paste. The pasted input is evaluated immediately, without any safeguards.
could be useful for making people who are unaware of the dangers a bit more aware about pasting things around.
There was a problem hiding this comment.
Yeah arguably it's better left to the terminal (I use iTerm2 on Mac which does the same thing). Hopefully we can all agree that the docs should be updated so there's at least some indication that only only valid Julia code will get executed but also valid shell commands. I wouldn't be averse to adding some sort of warning in the docs as well though you can only go so far with hand-holding (and if someone is the type of person who'd blindly paste code in the terminal are they also the type who'd have read the documentation..?).
There was a problem hiding this comment.
Since adding the warning is a strict improvement over not mentioning this at all, I'd say go for it! Should be fine in this PR too, since it touches the same subject & text.
inkydragon
added
docs
The functionality was added in #40604 but not documented.