Terminal emulators should be expected to deal with a lot of untrusted data, such as when you ssh to another machine. With all the context parsing in this, there is a large attack surface. I hope thought has been put into how to handle this.
Untrusted data in a terminal emulator??? I don't believe that I've ever used a terminal to connect to an untrusted system. Ie. local login, or ssh to a system that I trust enough to compile my programs or run my servers.
If the terminal receives untrusted data back then I've got bigger problems than a security hole in my terminal emulator.
The entire concept of exploiting a terminal by supplying hostile input has been around for over 10 years now. Unix veterans and BBS users have been exposed to this type of problem since the very beginning, a newsgroup search can turn up all sorts of exploits, from the ever-popular "flash" program to the abuse of logging features in xterm which were disabled in R5
You've never displayed content in your terminal that you didn't generate yourself? Never ran curl against a URL to check out the headers? Never popped open an editor containing source code downloaded from the internet?
Untrusted data being sent to a terminal emulator does not imply you are logged into an untrusted system with it. Users should be able to view arbitrary files through their terminal emulator safely, should be able to use IRC safely, should be able to use finger safely, etc.
There are enough people here reporting errors (having it hang with certain output, crashing X.org, etc) to cause me to be very wary of this. I am not confident it would stand up to a security review.
