Previously, a server could mistankely or maliciously call *-mode
functions by in the response to a completion or hover request,
specifically in the :documentation field of the response.
Although there are plenty of similar avenues of attack in Emacs, it's
probably a good idea not to let LSP servers decide which functions to
call in an Emacs session running Eglot.
* eglot.el (eglot--format-markup): Call major-mode to fontify
buffer, not some dynamically constructed function name.
(eglot-completion-at-point): Ensure eglot--format-markup runs in
source buffer.
GitHub-reference: fix https://github.com/joaotavora/eglot/issues/154
(if (stringp markup) (list (string-trim markup)
(intern "gfm-mode"))
(list (plist-get markup :value)
- (intern (concat (plist-get markup :language) "-mode" ))))))
+ major-mode))))
(with-temp-buffer
(ignore-errors (funcall mode))
(insert string) (font-lock-ensure) (buffer-string))))
(get-text-property
0 'eglot--lsp-completion obj)
:cancel-on-input t)
- :documentation)))))
- (when documentation
+ :documentation))))
+ (formatted (and documentation
+ (eglot--format-markup documentation))))
+ (when formatted
(with-current-buffer (get-buffer-create " *eglot doc*")
(erase-buffer)
- (insert (eglot--format-markup documentation))
+ (insert formatted)
(current-buffer)))))
:company-prefix-length
(cl-some #'looking-back
projects / emacs.git / commitdiff