From a0650372cafa6debf1465624c2cc23dd01aa7083 Mon Sep 17 00:00:00 2001 From: Aaron Ecay Date: Fri, 6 Nov 2015 17:51:09 +0000 Subject: [PATCH] Allow bind keywords to set safe values * lisp/ox.el (org-export-allow-bind-keywords): Add new `safe' value. (org-export--list-bound-variables): Use it. * doc/org.texi (Export settings): Update doc. --- doc/org.texi | 18 +++++++++++++++--- lisp/ox.el | 20 ++++++++++++++++---- 2 files changed, 31 insertions(+), 7 deletions(-) diff --git a/doc/org.texi b/doc/org.texi index c57cc41..6abf5ad 100644 --- a/doc/org.texi +++ b/doc/org.texi @@ -10708,6 +10708,7 @@ properties (@pxref{Properties and columns}). Options set at a specific level override options set at a more general level. @cindex #+SETUPFILE +@anchor{SETUPFILE} In-buffer settings may appear anywhere in the file, either directly or indirectly through a file included using @samp{#+SETUPFILE: filename} syntax. Option keyword sets tailored to a particular back-end can be inserted from @@ -10948,9 +10949,20 @@ properties. @cindex #+BIND @vindex org-export-allow-bind-keywords If @code{org-export-allow-bind-keywords} is non-@code{nil}, Emacs variables -can become buffer-local during export by using the BIND keyword. Its syntax -is @samp{#+BIND: variable value}. This is particularly useful for in-buffer -settings that cannot be changed using specific keywords. +can become buffer-local during export by using the BIND keyword. Setting the +variable to @code{t} allows variables to take on all values. Setting it to +the symbol @code{safe} (the default) only allows safe values. (@pxref{Safe +File Variables,,,emacs,The Emacs Manual}) The syntax of a BIND keyword is +@samp{#+BIND: variable value}. The text of @samp{value} will be passed to +the elisp @code{read} function.@footnote{This means that strings should be +surrounded with double quotes, but symbols and lists will be read literally +and need not be quoted for lisp with a single quote.} The BIND keyword is +particularly useful for in-buffer settings that cannot be changed using +specific keywords.@footnote{You should not use the usual emacs local variable +convention (@pxref{Specifying File Variables,,,emacs,The Emacs Manual}), +because these notations could be lost during the export process.} It is also +useful for collecting common variable settings in a setup file shared between +several documents (@pxref{SETUPFILE}). @cindex property, EXPORT_FILE_NAME The name of the output file to be generated is taken from the file associated diff --git a/lisp/ox.el b/lisp/ox.el index eb1af9b..e257c1f 100644 --- a/lisp/ox.el +++ b/lisp/ox.el @@ -832,14 +832,22 @@ can also be set with the OPTIONS keyword, e.g. \"todo:nil\"." :group 'org-export-general :type 'boolean) -(defcustom org-export-allow-bind-keywords nil +(defcustom org-export-allow-bind-keywords 'safe "Non-nil means BIND keywords can define local variable values. This is a potential security risk, which is why the default value -is nil. You can also allow them through local buffer variables." +is nil. You can also allow them through local buffer variables. + +See the documentation for `safe-local-variable-p' and the +node (info \"(emacs) Safe File Variables\") for information on +the safety setting." :group 'org-export-general :version "24.4" :package-version '(Org . "8.0") - :type 'boolean) + :type '(choice + (const :tag "Never" nil) + (const :tag "Only if safe" safe) + (const :tag "Always" t)) + :safe (lambda (x) (memq x '(nil safe)))) (defcustom org-export-with-broken-links nil "Non-nil means do not raise an error on broken links. @@ -1646,7 +1654,11 @@ an alist where associations are (VARIABLE-NAME VALUE)." (let ((val (org-element-property :value element))) (if (equal (org-element-property :key element) "BIND") - (push (read (format "(%s)" val)) alist) + (let* ((pair (read (format "(%s)" val)))) + (when (or (eq org-export-allow-bind-keywords t) + (safe-local-variable-p + (nth 0 pair) (nth 1 pair))) + (push pair alist))) ;; Enter setup file. (let ((file (expand-file-name (org-remove-double-quotes val)))) -- 2.6.2