From fbb61e7ef297ef6114b68281c19f3767a5a959ce Mon Sep 17 00:00:00 2001
From: Yasuhiro Matsumoto <mattn.jp@gmail.com>
Date: Sat, 7 Mar 2026 16:45:56 +0900
Subject: [PATCH] Use shellescape() for external commands to prevent command
 injection

File paths passed to system() via xxd and identify were using manual
double-quote wrapping instead of shellescape(), which could allow
command injection with specially crafted filenames.
---
 autoload/emmet/util.vim | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/autoload/emmet/util.vim b/autoload/emmet/util.vim
index 4891778..8130b17 100644
--- a/autoload/emmet/util.vim
+++ b/autoload/emmet/util.vim
@@ -229,7 +229,7 @@ function! emmet#util#getImageSize(fn) abort
   endif
 
   if filereadable(l:fn)
-    let l:hex = substitute(system('xxd -p "'.l:fn.'"'), '\n', '', 'g')
+    let l:hex = substitute(system('xxd -p '.shellescape(l:fn)), '\n', '', 'g')
   else
     if l:fn !~# '^\w\+://'
       let l:path = fnamemodify(expand('%'), ':p:gs?\\?/?')
@@ -248,7 +248,7 @@ function! emmet#util#getImageSize(fn) abort
         endif
       endfor
     endif
-    let l:hex = substitute(system(g:emmet_curl_command.' "'.l:fn.'" | xxd -p'), '\n', '', 'g')
+    let l:hex = substitute(system(g:emmet_curl_command.' '.shellescape(l:fn).' | xxd -p'), '\n', '', 'g')
   endif
 
   let [l:width, l:height] = [-1, -1]
@@ -283,7 +283,7 @@ function! emmet#util#getImageSize(fn) abort
 endfunction
 
 function! emmet#util#imageSizeWithImageMagick(fn) abort
-  let l:img_info = system('identify -format "%wx%h" "'.a:fn.'"')
+  let l:img_info = system('identify -format "%wx%h" '.shellescape(a:fn))
   let l:img_size = split(substitute(l:img_info, '\n', '', ''), 'x')
   if len(l:img_size) != 2
     return [-1, -1]
@@ -322,7 +322,7 @@ function! emmet#util#imageEncodeDecode(fn, flag) abort
   let l:fn = a:fn
 
   if filereadable(l:fn)
-    let l:hex = substitute(system('xxd -p "'.l:fn.'"'), '\n', '', 'g')
+    let l:hex = substitute(system('xxd -p '.shellescape(l:fn)), '\n', '', 'g')
   else
     if l:fn !~# '^\w\+://'
       let l:path = fnamemodify(expand('%'), ':p:gs?\\?/?')
@@ -341,7 +341,7 @@ function! emmet#util#imageEncodeDecode(fn, flag) abort
         endif
       endfor
     endif
-    let l:hex = substitute(system(g:emmet_curl_command.' "'.l:fn.'" | xxd -p'), '\n', '', 'g')
+    let l:hex = substitute(system(g:emmet_curl_command.' '.shellescape(l:fn).' | xxd -p'), '\n', '', 'g')
   endif
 
   let l:bin = map(split(l:hex, '..\zs'), 'eval("0x" . v:val)')