Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Markdown should not open links in the browser by default #5171

Open
TomJGooding opened this issue Oct 24, 2024 · 4 comments
Open

Markdown should not open links in the browser by default #5171

TomJGooding opened this issue Oct 24, 2024 · 4 comments

Comments

@TomJGooding
Copy link
Contributor

This was originally discussed in #5169, but I think warrants a new issue.

When running the Textual tests, I was a bit concerned when links started opening in my browser! This was due to a recent change where Markdown links will be opened with App.open_url automatically.

Thankfully those links such as test.md weren't malicious, but I think it raises significant concerns about the implications of potentially opening any *.md links automatically..

I understand that you're damned if you do and damned if you don't, where some users expect links to open in the browser by default. But I think this change should be re-evaluated given the security risks, especially when internal links in markdown are probably more common.
@github-actions GitHub Actions
Copy link

Thank you for your issue. Give us a little time to review it.

PS. You might want to check the FAQ if you haven't done so already.

This is an automated reply, generated by FAQtory

@lowekoz lowekoz mentioned this issue Nov 9, 2024
Open
4 tasks
@lowekoz
Copy link

lowekoz commented Nov 9, 2024

I do not think opening links as default behaviour (open_links=True) poses any deliberate threats. That falls fully into the hands of the individual dev, who decides which links are integrated. Although with above PR fixes one can no longer attempt to open local file gov.md and unexpectedly also end up on the moldovan goverment web page 🚀

@TomJGooding
Copy link
Contributor Author

TomJGooding commented Nov 9, 2024
edited
Loading

My concern is the potential indeliberate threats with this default behaviour. Thankfully test.md wasn't malicious, but suppose the tests used a different filename? When the default behaviour surprises even the Textual maintainers, I think it should be re-evaluated

@lowekoz
Copy link

lowekoz commented Nov 11, 2024
edited
Loading

You raise a valid point, if it concerns a maintainer then maybe it should be looked at twice. Note however, that I reasoned about this security issue with the slight behavioural changes that #5223 introduces in mind (your comment on this solution?).

It seeks to distinguish between internal and external links (file://a.md != http://a.md). Then changing the file names of <tests>.md would not be sufficient to trigger a web browser opening. Your tests would have to include the https:/ or http:/ protocol identifier for the web event to trigger, and I deem it unlikely that a local .md file often goes under the name https://test.md nor that any .md test file of that nature would be allowed merging into the repo.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lowekoz @TomJGooding