Automatic reparsing of %sh{...}, while convenient in many cases,
can be surprising as well, and can lead to security problems:
'echo %sh{ printf "foo\necho bar" }' runs 'echo foo', then 'echo bar'.
we make this danger explicit, and we fix the 'nop %sh{...}' pattern.
To reparse %sh{...} strings, they can be passed to evaluate-commands,
which has been fixed to work in every cases where %sh{...} reparsing
was used..
The :format command is often called from a BufWritePre hook to format the
current buffer, however the :format command itself calls `:write` to store the
buffer in a temporary location, potentially causing an infinite recursion.
If we disable hooks while running :format, there's no danger of that occurring.
The previous implementation used to replace the contents of the buffer with
whatever the `formatcmd` was returning, regardless of the exit code of the
command, which led to the buffer being wiped out on error.
This commit does the formatting in a temporary file, and only replaces the
current buffer with the contents of the -formatted- temporary file if the
`formatcmd` returned successfully.
Fixes#1357
Level out the builtin commands loaded at startup in terms of format and
expressiveness. The following convention was followed:
* commands that take more than one argument have to be described along
with their parameters prior to the actual documentation, otherwise the
docstring consists in a capitalized sentence
e.g. `command <arg1>: do something`
* optional arguments are enclosed in square brackets, to comply with the
format used for hardcoded commands
e.g. `cd [<directory>]`
* describe the effects of the command in the documentation string and
omit implementation details unless they are relevant. Usually command
names include the name of the tool they use, so they don't need to be
redundantly mentioned
e.g. `tmux-new-pane <arguments>: open a new pane`
* document the format the parameters to the commands, or list them if
they are to be chosen among a list of static values (c.f. `spell.kak`)
