If you need to have this feature, then you should have to opt in (git config for example). But i have very good reasons to say that the default should properly escape the messages before printing them. I would not like it to clone a repo from github and having "git log" let my terminal go crazy. You unterstand, that this issue can have bigger impact than blinking commit messages, right?

Terminal attacks are not new and the solution isn't to expect every individual program to escape terminal escape codes.

    The ideal solution is to sanitize all data before displaying it
    on your terminal, however without a custom terminal application
    or data filter, you can't guarantee that every tool you use on
    the command-line is going to strip escape sequences. The
    responsibility should rest on the actual terminal emulator; any
    features that allow file or command-line access should be
    disabled by default and more attention should be paid to new
    features that implement any use of escape sequences. [0]

Are you cloning untrusted repositories to your computer and running git log blindly?

[0]: http://marc.info/?l=bugtraq&m=104612710031920

no?

I mean, it would be super nice for your terminal emulator to just automagically filter out escape sequences when you, the user, do not want them and to allow them for programs that you do. a whitelist would work but would be super annoying to actually verify as so many programs output things from so many different inputs. it seems like programs themselves should decide if they need to output arbitrary data and, in cases where they don't, like git, they can filter it.

Automagically? The terminal emulator's job is to parse and interpret those sequences.