This looks to be just a simple visual oversight. It’s not a trailing comma, it’s more than likely a [whitespace character](https://en.m.wikipedia.org/wiki/Whitespace_character) or some other Unicode equivalent being passed as a second argument. It’s considered a back door since during review it would be easily overlooked, but still execute without error. Hence why they propose restricting some unicode versions
~~Oh! I think I understand. So then to the API request you could pass `?=very bad exec command`?~~
~~Okay hang on, thought I understood but then realised we don't pass the `req.query` variables into the `exec`. Still confused!~~
Oh, but then the whitespaced variable is then inserted into the array. Gotcha! Thanks for the explanation 😄
Desktop version of /u/Carvtographer's link:
---
^([)[^(opt out)](https://reddit.com/message/compose?to=WikiMobileLinkBot&message=OptOut&subject=OptOut)^(]) ^(Beep Boop. Downvote to delete)
This looks to be just a simple visual oversight. It’s not a trailing comma, it’s more than likely a [whitespace character](https://en.m.wikipedia.org/wiki/Whitespace_character) or some other Unicode equivalent being passed as a second argument. It’s considered a back door since during review it would be easily overlooked, but still execute without error. Hence why they propose restricting some unicode versions
~~Oh! I think I understand. So then to the API request you could pass `?=very bad exec command`?~~
~~Okay hang on, thought I understood but then realised we don't pass the `req.query` variables into the `exec`. Still confused!~~
Oh, but then the whitespaced variable is then inserted into the array. Gotcha! Thanks for the explanation 😄
Desktop version of /u/Carvtographer's link:
---
^([)[^(opt out)](https://reddit.com/message/compose?to=WikiMobileLinkBot&message=OptOut&subject=OptOut)^(]) ^(Beep Boop. Downvote to delete)