On 8/16/23 10:35, Pavel Sanda wrote:
Hi,as a part of #12878 Stephan raised a question to what degree should we allow opening external links which are part of citation in the document (or rather part of .bib file). Currently we allow opening links stored in the "url" field of bibtex entry or files stored in "file" field by entry in the context menu; what's worse we don't show the link, so one can not check url itself - malevolent url can be provided (e.g. attacker web site, or maybe url scheme trying to execute some local stuff). (We also allow similar thing for hyperlink insets, but we at least show the target in caption of the inset.) Now what are your opinions what we should do about it? 1) nothing. 2) add dialog before launching url. safer but super annoying. 3) add dialog before launching url + dont ask again checkbox. not implemented - we'll also need to add session keys, which get erased often. 4) add link target to context menu (non trivial to implement) 5) add (by default disabled) checkbox in security preference to allow opening links for citations and hyperlinks similarly as we do with scripts. 6) ? I tend to go for 5, but there might be other options I did not think of...
I'm always quite paranoid about this. I suppose (5) is OK if people know what they're doing. Could we combine (3) and (5)? If we only have (5), then people might not discover this functionality. But perhaps in the dialog we could say something like, "If you want to disable this warning, see Tools> Preferences> Whatever".
Riki -- lyx-devel mailing list lyx-devel@lists.lyx.org http://lists.lyx.org/mailman/listinfo/lyx-devel
