Directly passing user data to the command line is highly dangerous.It allows an attacker to execute arbitrary commands on the command line [0].
escapehellarg [1] has to be used to Escape a string to be used as a shell argument
Directly doing anything with attacker supplied data is generally a no-no.
Everything that may come from a user must be filtered, escaped or generally treated as hostile.
As an example on an IRC channel someone once made their chan bot log the channel to the web, all it took was pasting javascript into an IRC window, and typing "LOL look at this! http://stupidbot.com/ircweblog". Channel pwned.
When you consider Facebook's target audience, it's probably okay to make people like us jump through a hoop in order to stop Grandma from being completely p0wned by typing in some JavaScript.
Yes, maybe people should know that running arbitrary JavaScript is dangerous, but they don't.
Good catch. It's because I cheated. The command will be sent from the phone to the desktop, the phone on the other hand does not receive the state of the dim. Button text is just changed by click event. Gonna change soon.
Remote: Yes
Willing to relocate: Yes
Technologies: Java, Javascript (Node, React, d3.js), Python, Machine Learning.
Résumé/CV: https://drive.google.com/file/d/0B6gMBxC04UxhZnQ1eVgwc0V0WDQ...
Email: rsyncf@gmail . com