questions re: NO_PROMPT_PERCENT

[Roman Neuhauser <neuhauser@xxxxxxxxxx>]

i was playing with my prompt settings, and arrived at a place
where i was setting PROMPT to a value with no remaining %-sequences
to expand (i was trying to achieve a particular visual effect which
depends on the contents of the expanded prompt).

prompt-git-info # populates $git_info
declare -a bits=("%(!~ "!%!" "?%?" "%%""%j" "%3~" "$git_info")
declare -a s=("%B" "%S")
# vvvvvvvvvvvvvvvvvvvv
declare tmp="${(%j: :)bits}"
# insert more %-sequences between characters in $tmp
# ^^^^^^^^^^^^^^^^^^^^
PROMPT="${(%j::)s} $tmp ${(%j::)${(@LMOa)s#%?}} "

if i'm reading this situation correctly (am I?  honest question!),
a malicious repository could use PROMPT_PERCENT to paint over my
prompt with fake data (`ESC [ Ps G` for a start), and what i should
be doing instead is

#      vvvvvvvvvvvvvvv
setopt nopromptpercent
#      ^^^^^^^^^^^^^^^
declare -a bits=("%(!~#~:)" "!%!" "?%?" "%%""%j" "%3~")
declare tmp="${(%j: :)bits}"
#      vvvvvvvvvvvvvvv
tmp+=" ${(V)git_info}"
#      ^^^^^^^^^^^^^^^
# insert more %-sequences between characters in $tmp
PROMPT="${(%j::)s} $tmp ${(%j::)${(@LMOa)s#%?}} "

BTW, i'm not much of a target and i don't think my PROMPT would
be the anyone's first choice of an attack vector against me,
but please humor me.

so i tried turning PROMPT_PERCENT off, and ended up with broken

* completion
* corrections
* xtrace (i know, PS4)

and possibly more (i know about select) but i didn't look further and
reverted, the completion system must be using a mix of print -P and
${(%)..} (the latter is unperturbed by the setting) since the terminal
gets unusable promptly, pun intended. (the shell loses track of the
cursor.)

i looked at the code history, the option goes beyond 1999, and mere
git log / git grep does not give much detail about behavior expected
back then; eg. it's possible print -P didn't even exist back then.

  % git grep -i -e percent c175751b5 -- ChangeLog
  c175751b5:ChangeLog:      Src/options.c, Src/prompt.c, Src/zsh.h: Options PROMPT_PERCENT

(there's no Src/ in the c175751b5 tree as far as i can see)

my questions are:

* is there a meaningful difference between
  set +o promptsubst; PROMPT="... $var ..."
  and
  set -o promptsubst; PROMPT='... $var ...'?
* is my understanding of PROMPT being susceptible to malicious
  data substituted directly as above correct?  what are effective
  mitigations? does ${(V)} really have me covered under PROMPTSUBST?
  what are the limits imposed by %{...%}?  the manual says it "should
  not change the cursor position", a quick test suggests it would be
  better worded as "will not be allowed ..."?  this deserves more
  detail in the text.
* does the topic deserve better coverage in the manual?
  i'm convinced it does.
* would everyone (is there one?) using nopromptpercent raise their hand?
  please describe your interactive use of zsh 5.x with nopromptpercent!
* i keep praising zsh for its conservatism, but screw 1999, what is the
  *goal* of the setting *today*?  ie. is the impact NOPROMPTPERCENT has
  on CORRECT expected?  is it *desired*?  why?  what are the $REASONS
  in "displaying the CORRECT prompt without substituting %R or %r is a
  major goal of this option because $REASONS"?  i mean, if CORRECT is
  a security concern (how?) then there's NOCORRECT, no?
* why does it affect `print -P`?
* why does it *not* affect the % parameter expansion flag?

-- 
roman