Expand description
Sanitization for untrusted terminal output.
This module implements the sanitize-by-default policy (ADR-006) to protect against terminal escape injection attacks. Any untrusted bytes displayed as logs, tool output, or LLM streams must be treated as data, not executed as terminal control sequences.
§Threat Model
Malicious content in logs could:
- Manipulate cursor position (break inline mode)
- Change terminal colors/modes persistently
- Hide text or show fake prompts (social engineering)
- Trigger terminal queries that exfiltrate data
- Set window title to misleading values
§Performance
-
Fast path (95%+ of cases): Scan for ESC byte using memchr. If no ESC found, content is safe - return borrowed slice. Zero allocation in common case, < 100ns for typical log line.
-
Slow path: Allocate output buffer, strip control sequences, return owned String. Linear in input size.
§Usage
use ftui_render::sanitize::sanitize;
use std::borrow::Cow;
// Fast path - no escapes, returns borrowed
let safe = sanitize("Normal log message");
assert!(matches!(safe, Cow::Borrowed(_)));
// Slow path - escapes stripped, returns owned
let malicious = sanitize("Evil \x1b[31mred\x1b[0m text");
assert!(matches!(malicious, Cow::Owned(_)));
assert_eq!(malicious.as_ref(), "Evil red text");Enums§
- Text
- Text with trust level annotation.
Functions§
- sanitize
- Sanitize untrusted text for safe terminal display.