Hi Chuck,
2017ko otsailak 20an, "Charles C. Berry"-ek idatzi zuen:
[...]
Allowing header args to be processed (as before) also allows for arbitrary
code to be executed. The point of setting ‘org-export-use-babel’ or
`org-export-babel-evaluate' to nil was to prevent this. For that reason
the former behavior was a bug.
Iʼm not sure I agree that itʼs so simple. There are still ways to execute
arbitrary code on export independently of babel (e.g. eval macros). The
advice to use o-e-babel-evaluate for security was never (IMO) correct –
the only properly secure wat to export untrusted documents would involve
some kind of sandboxing of the emacs executable.
Taking a step back, I would ask what justifies o-e-b-eʼs existence at
all. This thread demonstrates that itʼs not the right way to prevent
babel blocks from executing on export. Itʼs also not a good solution to
the security issue. Given the potential for confusion, Iʼd be in favor
of deprecating it entirely unless thereʼs some compelling reason for it
to exist that Iʼve overlooked.