node-shell-escape icon indicating copy to clipboard operation
node-shell-escape copied to clipboard
verified publisher icon xxorax

Windows doesn't like single quotes

Open seangenabe opened this issue 10 years ago • 10 comments

Windows doesn't like single quotes to be used as argument "wrappers", it will try to include them literally in the command-line argument.

Example: write-file

var FS = require('fs')
var Path = require('path')

var file = process.argv[2]
FS.writeFileSync(Path.join(__dirname, file), 'foo')

When I call node write-file 'hello.txt', it creates literally the file 'hello.txt', with quotes.

seangenabe avatar Sep 09 '15 10:09 seangenabe

This lib is unfortunately not compatible at all with the Windows shell. Feel free to make a pull request. It will need complete rewrite of the function.

xxorax avatar Oct 10 '15 14:10 xxorax

As there appears to be no interest in the pull requests, I'd like to note that others might be interested in using cross-spawn instead. It, like child_process.spawn(), accepts parameters and makes sure they are safely escaped—all the while working on Windows!

The reason one might want to use child_process.exec() instead of child_process.spawn() in the first place is that child_process.exec() succeeds more reliably at actually doing things on Windows (unlike child_process.spawn()). So one naturally looks for a shell escaping library to use child_process.exec() safely. And then finds that no such library that’s compatible with Windows/everything exists—because everybody else already moved on to cross-spawn.

binki avatar Nov 21 '16 04:11 binki

As just mentionned in my comment on the PR, this lib is not ready to support Windows shell.

In fact it support the most common linux shells (only): sh, bash, zsh.

Adding support for other shells (cmd.exe, powershell...etc) needs to define others functions or options to let the user set for what shell he want to escape.

I'm open to it, but it will be much more complicated.

xxorax avatar Jan 27 '18 06:01 xxorax

@xxorax May you at least update the README to indicate that this project is intended only for systems with POSIX shells and does not support Windows for now?

binki avatar Jul 07 '18 14:07 binki

can you please update the readme this so that it states which OS it's compatible for (so others don't waste time)

ChuckJonas avatar Nov 01 '18 00:11 ChuckJonas

As yet another person that just wasted time on this repo since I need to support Windows, I will echo what the others have asked for 😄

thieman avatar Apr 13 '19 13:04 thieman

I've made an updated fork using @seangenabe's code

https://github.com/mkg20001/escape-it

Tests are currently broken for windows, since I don't know what the intended behavior is (it doesn't seem to escape ';')

Also, the api changed. Now it is escape(platform)(list, of, strings) (so you need to use the spread operator like so escape(platform)(...arrayOfStrings) to pass an array as argument)

Platform is assumed to be process.platform by default

mkg20001 avatar Nov 11 '19 13:11 mkg20001

@mkg20001 see @seangenabe branch win32-tests https://github.com/seangenabe/node-shell-escape/tree/win32-tests

xmedeko avatar Jun 11 '20 07:06 xmedeko

@mkg20001 @xmedeko Please use cross-spawn instead of escaping parameters and interpolating shellouts yourselves. That style of executing programs is only asking for trouble/security issues/weird-hard-to-debug-brokenness.

binki avatar Jun 11 '20 20:06 binki

@binki I am well aware that the spawn or execFile is preferred over shell escaping, but for various reasons, I need shell escaping now. Maybe you can submit a PR to README.md with your comment.

xmedeko avatar Jun 12 '20 05:06 xmedeko