Closed randomstuff closed 3 years ago
Great point! I think I know a way to make this very visible to the user, as well as available to all plugins.
Version 2.3.0 has been published and has all of the new changes from #110. I'm not sure how much more I can do on my end to make it obvious to the user what happens when they use extensions that run commands from the source markdown.
Let me know if anything else comes up!
I've also created a security advisory for this as well https://github.com/d0c-s4vage/lookatme/security/advisories/GHSA-c84h-w6cr-5v8q
Describe the Feature Request
It is not safe to display a markdown file with lookatme without inspecting it first because it might contain
terminalN
snippets which gets executed immediately.It would probably be nice to include a warning about this topic in the documentation.
In addition, it might be useful to add a "safe" mode which disables this feature.