[wglb]

Because?

[technomancy]

Elsewhere in the manual it seems to imply that formulas can include arbitrary Emacs Lisp functions, which would make it quite easy to implement a virus as there appears to be no sandboxing. What it probably means is that viruses written for other spreadsheet implementations won't work on it.

Edit: never mind; I read further and it does do some sandboxing based on the same whitelisting principles as directory-local variable settings. Very clever.

[bastawhiz]

Even still, pure interpreters are not immune to vulnerabilities. One buffer overflow or bad array lookup and you're hosed.

[wglb]

I must admit that I haven't heard of buffer overflows in emacs lisp.

[hollerith]

Right. When all of the language's data structures are garbage collected and the language has no pointer types, buffer overflows become much rarer.

There are a few array-lookup operations like AREF, but they do bounds checking (at run time, when the check is easier to get right).