Policy for opening url links in documents

Daniel xracoonx at gmx.de
Wed Aug 16 16:30:38 UTC 2023


On 2023-08-16 16:35, Pavel Sanda wrote:
> Hi,
> 
> as a part of #12878 Stephan raised a question to what degree should we allow
> opening external links which are part of citation in the document (or rather
> part of .bib file).
> 
> Currently we allow opening links stored in the "url" field of bibtex entry or
> files stored in "file" field by entry in the context menu; what's worse we
> don't show the link, so one can not check url itself - malevolent url can be
> provided (e.g. attacker web site, or maybe url scheme trying to execute some
> local stuff).
> 
> (We also allow similar thing for hyperlink insets, but we at least show
> the target in caption of the inset.)
> 
> Now what are your opinions what we should do about it?
> 1) nothing.
> 2) add dialog before launching url. safer but super annoying.
> 3) add dialog before launching url + dont ask again checkbox.
>     not implemented - we'll also need to add session keys, which
>     get erased often.
> 4) add link target to context menu (non trivial to implement)
> 5) add (by default disabled) checkbox in security preference to allow
>     opening links for citations and hyperlinks similarly as we do with
>     scripts.
> 6) ?
> 
> 
> I tend to go for 5, but there might be other options I did not think of...

FWIW, I have seen only 1, 2 and 3 implemented in other applications when 
launching external URLs but none of the others.

A possible

6) Per document enabling: when there are external URLs in a document 
that could be opened, a message appears at the top asking whether the 
document should be trusted in that respect.

It's similar to how VS Code asks whether to enable extensions for a 
document. Not sure whether I like myself.

Daniel



More information about the lyx-devel mailing list