
Show HN: Tap curl in your editor before it gets to sh - awalGarg
https://github.com/awalGarg/curl-tap-sh
======
robryk
Why do you create an env variable that contains the whole file in question
when the editor returned success? Wouldn't something like:

    
    
      cat "$f"; rm "$f"
    

not involve loading the whole file in memory at once? Note that using this
also makes sense with self-extracting archives/shell scripts, because it lets
you inspect the shell script at the beginning.

~~~
0xmohit
Moreover, dumping the file into a variable doesn't seem to be a good idea if
the file were to contain null characters.

------
semi-extrinsic
A much better feature is available in zsh, called safe-paste, that does this
without the user having to insert "tap" or anything else manually. It relies
on something called bracketed paste, where the terminal emulator sends special
escape sequences to indicate the beginning and end of a paste. These are
intercepted by the zsh plugin, which opens $EDITOR with the pasted content.

[https://github.com/robbyrussell/oh-my-
zsh/blob/master/plugin...](https://github.com/robbyrussell/oh-my-
zsh/blob/master/plugins/safe-paste/safe-paste.plugin.zsh)

~~~
JadeNB
Bracketed paste mode can still be broken by a malicious web-site:
[https://thejh.net/misc/website-terminal-copy-
paste](https://thejh.net/misc/website-terminal-copy-paste) . Does this
solution have the same vulnerability?

~~~
semi-extrinsic
Depends on the terminal emulator you're using, I believe. It (and not zsh)
needs to filter out escape sequences.

------
sdx23
I don't really see, why I'd install something from some github repository if I
can get it from a moreutils package that I like to have installed anyway.

~~~
OJFord
Then don't. `vipe` from `moreutils` is acknowledged in this project's readme.

I don't have `moreutils` installed; it's plausible that someone might want
just the single package, in which case `tap` would seems OK as an alternative.

------
tambourine_man
Simple, but nice

