On Wed, Aug 16, 2023 at 06:30:38PM +0200, Daniel wrote: > > On 2023-08-16 16:35, Pavel Sanda wrote: > > Hi, > > > > as a part of #12878 Stephan raised a question to what degree should we allow > > opening external links which are part of citation in the document (or rather > > part of .bib file). > > > > Currently we allow opening links stored in the "url" field of bibtex entry > > or > > files stored in "file" field by entry in the context menu; what's worse we > > don't show the link, so one can not check url itself - malevolent url can be > > provided (e.g. attacker web site, or maybe url scheme trying to execute some > > local stuff). > > > > (We also allow similar thing for hyperlink insets, but we at least show > > the target in caption of the inset.) > > > > Now what are your opinions what we should do about it? > > 1) nothing. > > 2) add dialog before launching url. safer but super annoying. > > 3) add dialog before launching url + dont ask again checkbox. > > not implemented - we'll also need to add session keys, which > > get erased often. > > 4) add link target to context menu (non trivial to implement) > > 5) add (by default disabled) checkbox in security preference to allow > > opening links for citations and hyperlinks similarly as we do with > > scripts. > > 6) ? > > > > > > I tend to go for 5, but there might be other options I did not think of... > > FWIW, I have seen only 1, 2 and 3 implemented in other applications when > launching external URLs but none of the others. > > A possible > > 6) Per document enabling: when there are external URLs in a document that > could be opened, a message appears at the top asking whether the document > should be trusted in that respect. > > It's similar to how VS Code asks whether to enable extensions for a > document. Not sure whether I like myself.
I think Daniel is talking about: Document > Settings > Format > Output > "Allow running external programs" Whether 5 or 6, I wonder if it would be helpful to combine the preferences. i.e., have a preference "Trust document content", and then allow the user finer control if they prefer? Scott
signature.asc
Description: PGP signature
-- lyx-devel mailing list lyx-devel@lists.lyx.org http://lists.lyx.org/mailman/listinfo/lyx-devel