#1338 <https://github.com/leo-editor/leo-editor/issues/1338> fixed a serious bug that could lead to the unexpected execution of code. g.computeFileUrl was expanding path expressions of the form {{text}} within arbitrary body text!
I am continuing to explore the implications for Leo's code base. I have just created #1341 <https://github.com/leo-editor/leo-editor/issues/1341>, which suggests that calls to g.os_path_expandExpression should be strictly limited to the context in which they were originally proposed, namely to compute paths in @<file> nodes. At present, g.os_path_finalize and g.os_path_finalize_join expand path expressions(!!). I think this is wrong, and dangerous. I'm pretty sure this code arose as a misguided attempt on my part to support path expressions in @<file> nodes *elegantly.* g.os_path_finalize and g.os_path_finalize_join are used throughout Leo. I don't believe it is wise to have these utility functions expand what looks like path expressions! Elegance must take a back seat to safety. I am alerting you all to this issue because fixing it may cause other problems. For example, plugins now get the "benefits" of automatic expansion of path expressions. One option would be to leave plugins unchanged, and wait for complaints from users ;-) Your comments, please. Edward -- You received this message because you are subscribed to the Google Groups "leo-editor" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/leo-editor/e4bd5323-3ce9-41fa-ad8c-0f49f0a7d4d1%40googlegroups.com.
