Strings which can be accidentally expanded into different strings if evaluated in the wrong context

e.g. used as a printf format string or via Perl or shell eval. Might expose sensitive data from the program doing the interpolation, or might just represent the wrong string.

from minimaxir/big-list-of-naughty-strings

attack/string-expansion/shell-expansion.txt

@@ -0,0 +1,6 @@
+$HOME
+$ENV{'HOME'}
+%d
+%s
+{0}
+%*.*s