livebook icon indicating copy to clipboard operation
livebook copied to clipboard

Published 20 hours ago verified publisher icon livebook-dev

Unable to create markdown link with custom URI handlers

Open leepfrog opened this issue 2 years ago • 8 comments

Environment

  • Elixir & Erlang/OTP versions (elixir --version): Elixir 1.13.2 / Erlang/OTP 24
  • Operating system: x86_64-pc-linux-gnu
  • How have you started Livebook (mix phx.server, livebook CLI, Docker, etc): docker-compose build
  • Livebook version (use git rev-parse HEAD if running with mix): https://github.com/livebook-dev/livebook/commit/fcf3015c87a5060751b998688ed54578a9192f7b
  • Browsers that reproduce this bug (the more the merrier): Safari
  • Include what is logged in the browser console: n/a
  • Include what is logged to the server console: n/a

Current behavior

  1. Create a markdown cell
  2. Enter in a link that uses a custom URI, eg:
This is a custom [link](myurihandler://some/path).
  1. Close markdown editor
  2. Click on link, note that an error is displayed:
Got unrecognised session path: myurihandler:/some/path
If you want to link another notebook, make sure to include the .livemd extension

Expected behavior

For markdown links that follow a URI format, I would expect the browser to handle the link (thereby invoking the system URI handler).

leepfrog avatar Jun 30 '22 00:06 leepfrog

There is a bug that turns this into a relative URL (fixed in #1255). However, with that fixed, the href is removed altogether by HTML sanitization given myurihandler://some/path. I don't think we want to allow arbitrary schemes, in particular javascript:. Are you looking for a well-known scheme, or a custom one?

jonatanklosko avatar Jun 30 '22 12:06 jonatanklosko

We have a few custom schemes that are used to launch native applications.

leepfrog avatar Jun 30 '22 16:06 leepfrog

I see, there's no specific list of dangerous schemes that we could disallow (ref). What we can do is have a configuration under settings for enabling specific schemes other than http/https in the given Livebook instance.

jonatanklosko avatar Jun 30 '22 17:06 jonatanklosko

So the idea is to have a Livebook configuration under settings with special protocols allowed in the Livebook instance.

josevalim avatar Jul 11 '22 19:07 josevalim

I can take a stab at this next week unless someone beats me to it! 😀

Thanks for the guidance

leepfrog avatar Jul 11 '22 21:07 leepfrog

@josevalim Is this issue still available?

gitstart avatar Sep 05 '22 08:09 gitstart

Yes! :)

josevalim avatar Sep 05 '22 09:09 josevalim

Great. Let me pick it up. Also please help review this PR https://github.com/livebook-dev/livebook/pull/1389

gitstart avatar Sep 05 '22 10:09 gitstart

@josevalim @jonatanklosko currently, I have implemented adding and storing the protocols on the live book settings to efs. Could you guide me on functions I should look out for that actually check for these protocols?

Also, I tried implementing isProtocol function using this regex https://regex101.com/r/mGI6IB/1 rehypeExternalLinks doesn't highlight it. Thank you.

hameedhub avatar Feb 06 '23 16:02 hameedhub

@hameedhub we don't actually need to parse the URLs, we can just pass the configured protocol names as allowed ones, in addition to the defaults. The sanitization rules are here:

https://github.com/livebook-dev/livebook/blob/c8dd1151f08d6a5ae85c909528860130f8539deb/assets/js/lib/markdown.js#L101-L111

and I think we can do something like this:

protocols: {
  ...defaultSchema.protocols,
  href: [...defaultSchema.protocols.href, ...extraProtocols],
},

jonatanklosko avatar Feb 06 '23 17:02 jonatanklosko

Closed in #1702.

jonatanklosko avatar Feb 15 '23 21:02 jonatanklosko