I think the comment is intended as a warning. The function <SID>ProcessTemplate()
goes through a template file, looks for certain (configurable) patterns, and calls <SID>Compute(what)
where the argument what
is text extracted from the template. Note the line :exe a:what
.
If you install a template file from an untrusted source, then bad things can happen.
Of course, if you install a vim plugin from an untrusted source, equally bad things can happen. Putting malware in a template file adds a few levels of indirection, making it harder to implement and harder to diagnose.
It is possible that this code was written before the :sandbox
command was added to vim, and that might be an easy way to make this code safer. I have not looked at what is allowed in the sandbox and compared it to the intended use of this template processing.