[hjanssen]

It seems to me that enabling string replacement with all lookups enabled by default would be a dangerous idea to begin with. Why would it be implemented that way?

Having a replacement that is based on arbitrary scripts (!) seems especially questionable to me, in my brain that is a niche use case and should be turned off by default.

Maybe we have to sharpen the awareness of the common developer to these kind of dangerous practices, like we did with SQL injection attacks where string concatenation to create your queries is generally frowned upon and is regarded as a bad practice industry-wide.