Policy for opening url links in documents
Richard Kimberly Heck
rikiheck at gmail.com
Wed Aug 16 21:30:56 UTC 2023
On 8/16/23 10:35, Pavel Sanda wrote:
> Hi,
>
> as a part of #12878 Stephan raised a question to what degree should we allow
> opening external links which are part of citation in the document (or rather
> part of .bib file).
>
> Currently we allow opening links stored in the "url" field of bibtex entry or
> files stored in "file" field by entry in the context menu; what's worse we
> don't show the link, so one can not check url itself - malevolent url can be
> provided (e.g. attacker web site, or maybe url scheme trying to execute some
> local stuff).
>
> (We also allow similar thing for hyperlink insets, but we at least show
> the target in caption of the inset.)
>
> Now what are your opinions what we should do about it?
> 1) nothing.
> 2) add dialog before launching url. safer but super annoying.
> 3) add dialog before launching url + dont ask again checkbox.
> not implemented - we'll also need to add session keys, which
> get erased often.
> 4) add link target to context menu (non trivial to implement)
> 5) add (by default disabled) checkbox in security preference to allow
> opening links for citations and hyperlinks similarly as we do with
> scripts.
> 6) ?
>
> I tend to go for 5, but there might be other options I did not think of...
I'm always quite paranoid about this. I suppose (5) is OK if people know
what they're doing. Could we combine (3) and (5)? If we only have (5),
then people might not discover this functionality. But perhaps in the
dialog we could say something like, "If you want to disable this
warning, see Tools> Preferences> Whatever".
Riki
More information about the lyx-devel
mailing list