Escape control characters when displaying VCL content#1637
Merged
jedisct1 merged 2 commits intofastly:mainfrom Mar 9, 2026
Merged
Escape control characters when displaying VCL content#1637jedisct1 merged 2 commits intofastly:mainfrom
jedisct1 merged 2 commits intofastly:mainfrom
Conversation
philippschulte
approved these changes
Jan 27, 2026
Member
philippschulte
left a comment
philippschulte
left a comment
There was a problem hiding this comment.
This looks great! Thank you sir!
rcaril
reviewed
Jan 28, 2026
VCL content currently allows control characters, which are stored without modification. This allows a malicious API token owner to inject control characters that manipulate the user’s terminal, potentially causing the CLI to display VCL code different from the code being executed. Fix this by escaping control sequences.
jedisct1
added a commit
that referenced
this pull request
Mar 17, 2026
Both PRs were merged after the v14.0.4 release.
5 tasks
jedisct1
added a commit
that referenced
this pull request
Mar 17, 2026
### Change summary Moved two changelog entries from the v14.0.0 section to Unreleased, as both PRs were merged after v14.0.4 was tagged: - #1653 - feat(compute/build): Block version 1.93.0 of Rust - #1637 - feat(service/vcl): escape control characters when displaying VCL content All Submissions: * [x] Have you followed the guidelines in our Contributing document? * [x] Have you checked to ensure there aren't other open [Pull Requests](https://github.com/fastly/cli/pulls) for the same update/change? ### New Feature Submissions: * [x] Does your submission pass tests? ### Changes to Core Features: * [x] Have you written new tests for your core changes, as applicable? * [x] Have you successfully run tests with your changes locally? ### User Impact None. Documentation-only change to the changelog. ### Are there any considerations that need to be addressed for release? None.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Change summary
VCL content currently allows control characters, which are stored without modification.
This allows injecting control characters that manipulate the user’s terminal, potentially causing the CLI to display VCL code different from the code being executed.
Fix this by escaping control sequences.
This is a low-impact issue, as it requires write access to the VCL.
All Submissions:
New Feature Submissions:
Changes to Core Features:
User Impact
Escape sequences are now displayed as escaped.
Are there any considerations that need to be addressed for release?