Qvm-run --filter-escape-chars what is that?

Before I forget, I have one more question
man qvm-run says:

              Filter terminal escape sequences (default if output is terminal).

Why is “if output is terminal”?

Question moved to new topic

I moved this question to a separate topic to give it more visibility. Feel free to edit the title if I didn’t transcribe your intention accurately @0fe6db552f62d773

The qvm-run command can be used to run arbitrary commands from dom0 in less trusted qubes.

The output of commands can include special combinations of characters that affect the terminal in which the command was run.

If the output of those commands is rendered in the dom0 terminal, such special sequences of characters (called escape sequences or escape characters) could allow a less trusted qube to control some aspects of the dom0 terminal, which is not desirable.

That is why when the output of the command that qvm-run is executing will be rendered in a terminal, those so-called escape characters are filtered (out).

You could also choose to render that output to a file instead, in which case those special characters are not an immediate risk. In that case, the default is to render them, but you can choose to filter them anyway by using the --filter-escape-chars option.

The documentation mentions the sequence that allows to modify the terminal title. That sequence, for example, is described in the following section of this Wikipedia page. But you can also see that there are many other.


BTW, the qvm-run option’s name and description are a little bit misleading. It’s no longer replacing just a few known dangerous characters (escape sequences) but rather it’s strictly replacing everything except a list of safe characters (printable ASCII, tab, newline, return, backspace, bell):