I was thinking the same. After all, leointeg or leojs could parse headlines and do something with the results. What might make sense - both for security and for both Leo and leojs - would be to write a small number of methods that would be the only ones that could be used in path expressions. This would be safer than letting path expressions execute arbitrary code.
On Friday, April 7, 2023 at 9:29:47 PM UTC-4 Félix wrote: > I just checked the path expressions in Leo's docs. Pretty cool feature i > didn't even know existed. > > That being said, I don't see why vscode would not allow me to evaluate > parts of those strings as expected by this feature, as I already have > support of scripting , including offereing g, c, p etc. available in the > scope of the running scripts. > > So personally, I'd leave that good stuff in! :) > > Félix > > On Friday, April 7, 2023 at 5:55:26 PM UTC-4 Edward K. Ream wrote: > >> #3260 <https://github.com/leo-editor/leo-editor/issues/3260> suggests >> removing >> support for Leo's path expressions >> <https://leo-editor.github.io/leo-editor/directives.html#path-expressions> >> by removing all calls to c.expand_path_expression in Leo's core and >> plugins. My reasons: >> >> 1. Path expressions are a serious security concern. >> 2. Path expressions are not necessary. There are easy workarounds. >> 3. vs-code will never allow such expressions. leoJS can not possibly >> ever support them. >> >> *Note*: c.expand_path_expression will still exist should someone need >> it. >> >> Your comments, please. >> >> Edward >> > -- You received this message because you are subscribed to the Google Groups "leo-editor" group. To unsubscribe from this group and stop receiving emails from it, send an email to leo-editor+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/leo-editor/975a212d-b672-4dd1-bbb9-c64579e6b4f2n%40googlegroups.com.
