Do not set `trusted-content` in major modes

* lisp/progmodes/elisp-mode.el (lisp-interaction-mode):
* lisp/ielm.el (inferior-emacs-lisp-mode): Do not set `trusted-content.
* lisp/ielm.el (ielm):
* lisp/simple.el (get-scratch-buffer-create): Set `trusted-content` here
instead.
* lisp/files.el (trusted-content): Doc fix; warn against setting this
option to :all in a major or mode mode.
Problem reported by Max Nikulin <manikulin@gmail.com>.

5 files changed, 12 insertions, 7 deletions

diff --git a/etc/NEWS b/etc/NEWS
index fbfb9086430..da3a1d670e7 100644
--- a/etc/NEWS
+++ b/etc/NEWS
@@ -193,6 +193,9 @@ For example, Flymake's backend for Emacs Lisp consults this option
 and disables itself with an "untrusted content" warning if the file
 is not listed.
 
+Emacs Lisp authors should note that a major or minor mode must never set
+this variable to the ':all' value.
+
 This option is used to fix CVE-2024-53920.  See below for details.
 
 ** Emacs now supports Unicode Standard version 15.1.
diff --git a/lisp/files.el b/lisp/files.el
index b64935e8d9e..380721f1fe2 100644
--- a/lisp/files.el
+++ b/lisp/files.el
@@ -724,11 +724,12 @@ enabled (for example, when it is added to a mode hook).
 Each element of the list should be a string:
 - If it ends in \"/\", it is considered as a directory name and means that
   Emacs should trust all the files whose name has this directory as a prefix.
-- else it is considered as a file name.
+- Otherwise, it is considered a file name.
 Use abbreviated file names.  For example, an entry \"~/mycode/\" means
 that Emacs will trust all the files in your directory \"mycode\".
 This variable can also be set to `:all', in which case Emacs will trust
-all files, which opens a gaping security hole."
+all files, which opens a gaping security hole.  Emacs Lisp authors
+should note that this value must never be set by a major or minor mode."
   :type '(choice (repeat :tag "List" file)
                  (const :tag "Trust everything (DANGEROUS!)" :all))
   :version "30.1")
diff --git a/lisp/ielm.el b/lisp/ielm.el
index 561185a738a..b3cd02b4dc0 100644
--- a/lisp/ielm.el
+++ b/lisp/ielm.el
@@ -580,7 +580,6 @@ Customized bindings may be defined in `ielm-map', which currently contains:
        ielm-fontify-input-enable
        (comint-fontify-input-mode))
 
-  (setq-local trusted-content :all)
   (setq comint-prompt-regexp (concat "^" (regexp-quote ielm-prompt)))
   (setq-local paragraph-separate "\\'")
   (setq-local paragraph-start comint-prompt-regexp)
@@ -684,7 +683,8 @@ See `inferior-emacs-lisp-mode' for details."
     (unless (comint-check-proc buf-name)
       (with-current-buffer (get-buffer-create buf-name)
         (unless (zerop (buffer-size)) (setq old-point (point)))
-        (inferior-emacs-lisp-mode)))
+        (inferior-emacs-lisp-mode)
+        (setq-local trusted-content :all)))
     (pop-to-buffer-same-window buf-name)
     (when old-point (push-mark old-point))))
 
diff --git a/lisp/progmodes/elisp-mode.el b/lisp/progmodes/elisp-mode.el
index 59c33c09f0f..a573d9ef864 100644
--- a/lisp/progmodes/elisp-mode.el
+++ b/lisp/progmodes/elisp-mode.el
@@ -1337,8 +1337,7 @@ Semicolons start comments.
 
 \\{lisp-interaction-mode-map}"
   :abbrev-table nil
-  (setq-local lexical-binding t)
-  (setq-local trusted-content :all))
+  (setq-local lexical-binding t))
 
 ;;; Emacs Lisp Byte-Code mode
 
diff --git a/lisp/simple.el b/lisp/simple.el
index da4d20e4f78..152a8c451ac 100644
--- a/lisp/simple.el
+++ b/lisp/simple.el
@@ -11154,7 +11154,9 @@ too short to have a dst element.
           (when initial-scratch-message
             (insert (substitute-command-keys initial-scratch-message))
             (set-buffer-modified-p nil))
-          (funcall initial-major-mode))
+          (funcall initial-major-mode)
+          (when (eq initial-major-mode 'lisp-interaction-mode)
+            (setq-local trusted-content :all)))
         scratch)))
 
 (defun scratch-buffer ()