bug-gnu-emacs
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#74879: 30.0.92; trusted-content-p and trusted-files cannot be used f

From: Daniel Mendler
Subject: bug#74879: 30.0.92; trusted-content-p and trusted-files cannot be used for non-file buffers
Date: Mon, 16 Dec 2024 14:41:30 +0100
User-agent: Gnus/5.13 (Gnus v5.13) 
Dmitry Gutov <dmitry@gutov.dev> writes:

> On 15/12/2024 12:16, Daniel Mendler via Bug reports for GNU Emacs, the Swiss
> army knife of text editors wrote:
>> For example in my GNU ELPA Corfu package the plan was to check
>> `(trusted-content-p)' when starting auto completion.
>
> Shouldn't that be done in the c-a-p-f function?

Yes, this is a more fine-grained approach. Stefan added a check to the
macroexpansion in Emacs 30 which should make the Elisp Capf safe.

But consider other scenarios like Org-babel or Embark. Org-babel can
execute code blocks and Embark can evaluate Sexps at point. For these
cases it makes sense to check if the buffer is safe before running the
action. However in contrast to auto completion one has to press a
special key to trigger the evaluation.

>>To be clear - Corfu
>> is safe by default, since auto completion is disabled by default.
>> However many people enable auto completion unconditionally in all
>> buffers.
>
> Having completion invoked manually doesn't really ensure that the user knows
> about the odds of it running code from the current file. Some languages do 
> that,
> some don't, and the newbie Lisp users have little idea of what macro expansion
> in completion entails.

That's correct. Nevertheless Eshel specifically mentioned auto
completion in his report. I think that the threshold for auto completion
is a little lower - the user enters normal text and potentially code
execution of in-buffer code happens behind the scenes.

Daniel
reply via email to
[Prev in Thread] Current Thread [Next in Thread]