d0c-s4vage
commented
3 years ago Great point! I think I know a way to make this very visible to the user, as well as available to all plugins.
Closed randomstuff closed 3 years ago
d0c-s4vage
commented
3 years ago Great point! I think I know a way to make this very visible to the user, as well as available to all plugins.
d0c-s4vage
commented
3 years ago Version 2.3.0 has been published and has all of the new changes from #110. I'm not sure how much more I can do on my end to make it obvious to the user what happens when they use extensions that run commands from the source markdown.
Let me know if anything else comes up!
d0c-s4vage
commented
3 years ago I've also created a security advisory for this as well https://github.com/d0c-s4vage/lookatme/security/advisories/GHSA-c84h-w6cr-5v8q
Describe the Feature Request
It is not safe to display a markdown file with lookatme without inspecting it first because it might contain
terminalNsnippets which gets executed immediately.It would probably be nice to include a warning about this topic in the documentation.
In addition, it might be useful to add a "safe" mode which disables this feature.