Ok, here is my noob question of the month. The docs on expansions state, and I verified, that:
when turned into environment variables, list-type options, $kak_reg_x, and “quoted list” values will be shell-quoted so the shell doesn’t get confused about how many items the list contains. You will need to apply eval to get back the original values.
So we’ll need to apply ‘eval’ to what may be uncontrolled user input. Is there nothing here to worry about? What if the register contains nasty things (e.g.,: ‘33; rm myfile.txt’)?
It’s not uncontrolled user input, it’s been shell-quoted by Kakoune. If a register (or whatever) contains nasty things, quoting ensures the shell will treat them as strings, not as commands.
Stupidly enough, I was confused by the writing in the doc-expansions. I understood that the quoting inside the register (or whatever string) prevented word splitting of a compound term such as “A B C”, but I was unsure about further safety through ‘eval’. But yes, the thing is safe. All compound terms are surrounded by single quotes, and each single quote in the string converted to
'\''. So all goes well.