49.2.4.2 Safety of File Variables

File-local variables can be dangerous; when you visit someone else’s file, there’s no telling what its local variables list could do to your Emacs. Improper values of the eval “variable”, and other variables such as load-path, could execute Lisp code you didn’t intend to run.

Therefore, whenever Emacs encounters file local variable values that are not known to be safe, it displays the file’s entire local variables list, and asks you for confirmation before setting them. You can type y or SPC to put the local variables list into effect, or n to ignore it. When Emacs is run in batch mode (see Initial Options), it can’t really ask you, so it assumes the answer n.

Emacs normally recognizes certain variable/value pairs as safe. For instance, it is safe to give comment-column or fill-column any integer value. If a file specifies only known-safe variable/value pairs, Emacs does not ask for confirmation before setting them. Otherwise, you can tell Emacs to record all the variable/value pairs in this file as safe, by typing ! at the confirmation prompt. When Emacs encounters these variable/value pairs subsequently, in the same file or others, it will assume they are safe.

You can also tell Emacs to permanently ignore all the variable/value pairs in the file, by typing i at the confirmation prompt – these pairs will thereafter be ignored in this file and in all other files.

Some variables, such as load-path, are considered particularly risky: there is seldom any reason to specify them as local variables, and changing them can be dangerous. If a file contains only risky local variables, Emacs neither offers nor accepts ! as input at the confirmation prompt. If some of the local variables in a file are risky, and some are only potentially unsafe, you can enter ! at the prompt. It applies all the variables, but only marks the non-risky ones as safe for the future. If you really want to record safe values for risky variables, do it directly by customizing ‘ safe-local-variable-values’ (see Easy Customization Interface). Similarly, if you want to record values of risky variables that should be permanently ignored, customize ignored-local-variable-values.

The variable enable-local-variables allows you to change the way Emacs processes local variables. Its default value is t, which specifies the behavior described above. If it is nil, Emacs simply ignores all file local variables. :safe means use only the safe values and ignore the rest. Any other value says to query you about each file that has local variables, without trying to determine whether the values are known to be safe.

The variable enable-local-eval controls whether Emacs processes eval variables. The three possibilities for the variable’s value are t, nil, and anything else, just as for enable-local-variables. The default is maybe, which is neither t nor nil, so normally Emacs does ask for confirmation about processing eval variables.

As an exception, Emacs never asks for confirmation to evaluate any eval form if that form occurs within the variable safe-local-eval-forms.