From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Jean Louis Newsgroups: gmane.emacs.help Subject: Re: How to tame compiler? Date: Sun, 2 May 2021 10:37:36 +0300 Message-ID: References: <875z03th9b.fsf@web.de> <87v981wv3f.fsf@web.de> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="38860"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Mutt/2.0.6 (2021-03-06) Cc: help-gnu-emacs@gnu.org To: Michael Heerdegen Original-X-From: help-gnu-emacs-bounces+geh-help-gnu-emacs=m.gmane-mx.org@gnu.org Sun May 02 09:44:18 2021 Return-path: Envelope-to: geh-help-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1ld6m2-0009xq-4B for geh-help-gnu-emacs@m.gmane-mx.org; Sun, 02 May 2021 09:44:18 +0200 Original-Received: from localhost ([::1]:33390 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1ld6m1-0005Hv-7i for geh-help-gnu-emacs@m.gmane-mx.org; Sun, 02 May 2021 03:44:17 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:57148) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ld6la-0005HX-QL for help-gnu-emacs@gnu.org; Sun, 02 May 2021 03:43:50 -0400 Original-Received: from stw1.rcdrun.com ([217.170.207.13]:38937) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ld6lY-0000iA-BQ for help-gnu-emacs@gnu.org; Sun, 02 May 2021 03:43:50 -0400 Original-Received: from localhost ([::ffff:154.227.44.235]) (AUTH: PLAIN securesender, TLS: TLS1.3,256bits,ECDHE_RSA_AES_256_GCM_SHA384) by stw1.rcdrun.com with ESMTPSA id 0000000000046239.00000000608E5831.00004804; Sun, 02 May 2021 00:43:45 -0700 Mail-Followup-To: Michael Heerdegen , help-gnu-emacs@gnu.org Content-Disposition: inline In-Reply-To: <87v981wv3f.fsf@web.de> Received-SPF: pass client-ip=217.170.207.13; envelope-from=bugs@gnu.support; helo=stw1.rcdrun.com X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: help-gnu-emacs@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Users list for the GNU Emacs text editor List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: help-gnu-emacs-bounces+geh-help-gnu-emacs=m.gmane-mx.org@gnu.org Original-Sender: "help-gnu-emacs" Xref: news.gmane.io gmane.emacs.help:129313 Archived-At: * Michael Heerdegen [2021-05-02 08:43]: > Stefan Monnier writes: > > > I know I sound like a broken clock, but [...] > > I think you would sound more like an unbroken clock if you would shortly > tell the disadvantages of using `eval', then people would be more open > to alternatives. I have now just isolated the `rcd-template-eval' function into separate package without `lexical-binding' and it works well: https://hyperscope.link/3/7/1/3/3/RCD-Template-Interpolation-System-for-Emacs.html This is one special case where lexical-binding should be nil, as me, I wish to be able to expand any variables in the template. I could use `lexical-binding t' to see maybe some compiler errors, but then I have removed it. Of course I have heard of dangers of using `eval' in various programming languages. But we have to put it in the specific contexts as we do use `eval' so many times. Example is Org mode source blocks, eval is used there, including it is used to evaluate other or any kind of language. And people publish Org mode documents after doing eval. Just same thing is taking place here. The RCD Template Interpolation system uses `eval' to expand the embedded Emacs Lisp into text. It is just same as using Org mode with source blocks to expand Emacs Lisp or other programming languages into text. Just as with writing text, I could accidently write my passwords and publish them online, or I could accidentaly or unknowingly remove all my files with `rm -rf /home/myhome' -- and I remember doing that first time when I met MS-DOS, but command name maybe was different, who cares. When `eval' is used with parameters that arrive from website visitor, that is where one should be careful maybe to escape the parameters and make sure there is nothing that could disturb or be malicious. Of course one should not `eval' the parameter rather accept strings and process strings. I guess hundreds of not thousands of people already publish Org files that have such embedded programming languages eval-ed and expanded, and now such Org files are published online. What I am doing here is the same as Org, just that I like to use any kind of markup to pre-process it before the conversion into HTML. Back in time I have been testing various templating systems with Perl, and I found this one was the fastest: https://metacpan.org/pod/Text::NeatTemplate because I have tested all templating systems on thousands page expansions and found that one being fastest, I used it for years. One can see how variables are being carefully prepared to be passed to the function. And there are many similar templating systems used for HTML generation. Then I have been using for another bunch of years the CL-EMB Common Lisp templating system: https://40ants.com/lisp-project-of-the-day/2020/09/0192-cl-emb.html https://www.common-lisp.net/project/cl-emb/ I think CL-EMB does not use `eval' directly but it uses `read-from-string' and macro to expand the values. Anything can take place there, as it is equivalent to eval, any code can be placed in the text, and of course somebody can insert malicious code and do something bad. Let us say I make system in the functional style, that I don't write plain text but rather Lisp expressions like (html (p "Something")) then it is also open to inserting malicious code there, it is even easier to insert malicious code into the code as it camouflages itself, then inserting malicious code into the plain text. People like to use embedded programming languages: https://github.com/dbohdan/embedded-scripting-languages There are many web template systems: https://en.wikipedia.org/wiki/Web_template_system And those hyperlinks demonstrate the demand for that. Maybe not many people generate HTML pages or emails with Emacs Lisp, but I need it. I have SMS communication, email communication, letters, and I like expanding templates on the fly. When working with 1500+ people, it brings better understanding if I send SMS which expands into personalized messages: Hello John, I have not get answer on my message to you from 4th May, did you read it? You still have US $150 pending with us. What really matters? - that I can send mass SMS communication, hire people and engage them on projects; - that I can use templating system to send hundreds of thousands of emails and thus close sales, as they are personalized; - that I can use both HTML pages with embedded personalization for emails; send HTML pages, it appears personalized, or publish it, it is not personalized, with dynamically expanded values, such as prices, listings of products, and similar; -- Jean Take action in Free Software Foundation campaigns: https://www.fsf.org/campaigns Sign an open letter in support of Richard M. Stallman https://stallmansupport.org/ https://rms-support-letter.github.io/