Re: How to tame compiler?

[Jean Louis]

* Michael Heerdegen <michael_heerdegen@web.de> [2021-05-02 08:43]:
> Stefan Monnier <monnier@iro.umontreal.ca> writes:
> 
> > I know I sound like a broken clock, but [...]
> 
> I think you would sound more like an unbroken clock if you would shortly
> tell the disadvantages of using `eval', then people would be more open
> to alternatives.

I have now just isolated the `rcd-template-eval' function into
separate package without `lexical-binding' and it works well:
https://hyperscope.link/3/7/1/3/3/RCD-Template-Interpolation-System-for-Emacs.html

This is one special case where lexical-binding should be nil, as me, I
wish to be able to expand any variables in the template. I could use
`lexical-binding t' to see maybe some compiler errors, but then I have
removed it.

Of course I have heard of dangers of using `eval' in various
programming languages. But we have to put it in the specific contexts
as we do use `eval' so many times.

Example is Org mode source blocks, eval is used there, including it is
used to evaluate other or any kind of language. And people publish Org
mode documents after doing eval. Just same thing is taking place here.

The RCD Template Interpolation system uses `eval' to expand the
embedded Emacs Lisp into text. It is just same as using Org mode with
source blocks to expand Emacs Lisp or other programming languages into
text.

Just as with writing text, I could accidently write my passwords and
publish them online, or I could accidentaly or unknowingly remove all
my files with `rm -rf /home/myhome' -- and I remember doing that first
time when I met MS-DOS, but command name maybe was different, who
cares.

When `eval' is used with parameters that arrive from website visitor,
that is where one should be careful maybe to escape the parameters and
make sure there is nothing that could disturb or be malicious. Of
course one should not `eval' the parameter rather accept strings and
process strings. 

I guess hundreds of not thousands of people already publish Org files
that have such embedded programming languages eval-ed and expanded,
and now such Org files are published online.

What I am doing here is the same as Org, just that I like to use any
kind of markup to pre-process it before the conversion into HTML.

Back in time I have been testing various templating systems with Perl,
and I found this one was the fastest:
https://metacpan.org/pod/Text::NeatTemplate because I have tested all
templating systems on thousands page expansions and found that one
being fastest, I used it for years.

One can see how variables are being carefully prepared to be passed to
the function. And there are many similar templating systems used for
HTML generation.

Then I have been using for another bunch of years the CL-EMB Common
Lisp templating system:
https://40ants.com/lisp-project-of-the-day/2020/09/0192-cl-emb.html

https://www.common-lisp.net/project/cl-emb/

I think CL-EMB does not use `eval' directly but it uses
`read-from-string' and macro to expand the values. Anything can take
place there, as it is equivalent to eval, any code can be placed in
the text, and of course somebody can insert malicious code and do
something bad.

Let us say I make system in the functional style, that I don't write
plain text but rather Lisp expressions like (html (p "Something"))
then it is also open to inserting malicious code there, it is even
easier to insert malicious code into the code as it camouflages
itself, then inserting malicious code into the plain text.

People like to use embedded programming languages:
https://github.com/dbohdan/embedded-scripting-languages

There are many web template systems:
https://en.wikipedia.org/wiki/Web_template_system

And those hyperlinks demonstrate the demand for that.

Maybe not many people generate HTML pages or emails with Emacs Lisp,
but I need it. I have SMS communication, email communication, letters,
and I like expanding templates on the fly. When working with 1500+
people, it brings better understanding if I send SMS which expands
into personalized messages:

Hello John, I have not get answer on my message to you from 4th May,
did you read it? You still have US $150 pending with us.

What really matters?

- that I can send mass SMS communication, hire people and engage them
  on projects;

- that I can use templating system to send hundreds of thousands of
  emails and thus close sales, as they are personalized;

- that I can use both HTML pages with embedded personalization for
  emails; send HTML pages, it appears personalized, or publish it, it
  is not personalized, with dynamically expanded values, such as
  prices, listings of products, and similar;

-- 
Jean

Take action in Free Software Foundation campaigns:
https://www.fsf.org/campaigns

Sign an open letter in support of Richard M. Stallman
https://stallmansupport.org/
https://rms-support-letter.github.io/