Policy for opening url links in documents
Daniel
xracoonx at gmx.de
Wed Aug 16 18:59:48 UTC 2023
On 2023-08-16 20:33, Scott Kostyshak wrote:
> On Wed, Aug 16, 2023 at 06:30:38PM +0200, Daniel wrote:
>>
>> On 2023-08-16 16:35, Pavel Sanda wrote:
>>> Hi,
>>>
>>> as a part of #12878 Stephan raised a question to what degree should we allow
>>> opening external links which are part of citation in the document (or rather
>>> part of .bib file).
>>>
>>> Currently we allow opening links stored in the "url" field of bibtex entry or
>>> files stored in "file" field by entry in the context menu; what's worse we
>>> don't show the link, so one can not check url itself - malevolent url can be
>>> provided (e.g. attacker web site, or maybe url scheme trying to execute some
>>> local stuff).
>>>
>>> (We also allow similar thing for hyperlink insets, but we at least show
>>> the target in caption of the inset.)
>>>
>>> Now what are your opinions what we should do about it?
>>> 1) nothing.
>>> 2) add dialog before launching url. safer but super annoying.
>>> 3) add dialog before launching url + dont ask again checkbox.
>>> not implemented - we'll also need to add session keys, which
>>> get erased often.
>>> 4) add link target to context menu (non trivial to implement)
>>> 5) add (by default disabled) checkbox in security preference to allow
>>> opening links for citations and hyperlinks similarly as we do with
>>> scripts.
>>> 6) ?
>>>
>>>
>>> I tend to go for 5, but there might be other options I did not think of...
>>
>> FWIW, I have seen only 1, 2 and 3 implemented in other applications when
>> launching external URLs but none of the others.
>>
>> A possible
>>
>> 6) Per document enabling: when there are external URLs in a document that
>> could be opened, a message appears at the top asking whether the document
>> should be trusted in that respect.
>>
>> It's similar to how VS Code asks whether to enable extensions for a
>> document. Not sure whether I like myself.
>
> I think Daniel is talking about:
>
> Document > Settings > Format > Output > "Allow running external programs"
No, I wasn't aware of that option's existence and still don't know what
it does. :)
Not sure where the misunderstanding is though.
Daniel
More information about the lyx-devel
mailing list