Ihor Radchenko wrote: > Max is referring to various security issues with evaluating code inside > Org mode buffers. They are known, but not relevant to Org text being > displayed in email MUA - Org never evaluates any code automatically > without user explicitly asking for it. And in MUA, Org mode is simply > used to apply faces. No other interaction with the displayed text/org > mime part is allowed.
I can believe that Org text snippets are safe in an email MUA. But in the general case, I don't think Org mode is quite as safe as you implied. The last I heard, conversion from Org mode to another format (e.g., plain text or HTML) can result in code evaluation, without the user authorizing it (see https://debbugs.gnu.org/cgi/bugreport.cgi?bug=48676). I would not expect random users to understand that format conversion is a potentially risky operation. mike
