On Friday, September 5, 2025 at 8:09:05 AM UTC-5 Thomas wrote: It seems to me that the display of an outline should be read-only, with a few interactive features like expanding nodes. That way the user doesn't need to learn anything special. Security aside, this brings in the tricky question about how to handle @other trees in a way that a user can understand without climbing a learning curve. Named sections don't present a problem, I think. I'm also sure that sentinels should not be visible. I don't know where that leaves Leo directives.
This seems straightforward, and it would be tempting to charge ahead with coding. Security might be a real concern. Unless I misunderstand the OP, security is the *only* concern. Otherwise, people could just install Leo or LeoJS. Before discussing this topic further, I recommend that Brian consult with management what would be acceptable. Unless then, our discussions lack direction. I don't envy anyone trying to keep a company's computers free from malware. I would clear any plan first. OTOH, a Leo outline running in Leo could also be a security concern Absolutely! As I write this, I see that Leo should have an info item about security. The general rule is: * Be wary of receiving a .leo file from anyone you don't know and trust.* Leo prevents any outline except myLeoSettings.leo from setting @bool scripting-at-script-nodes = True. I thank Paul Patterson for pointing out the danger <https://groups.google.com/g/leo-editor/c/1saGMz5eplE/m/AwF5LXgbcskJ>. But Leo can do nothing to prevent the unwary from foolishly clicking a button in an outline from an unknown source. In this sense, passing .leo files around should be a real security concern. - it could modify a standard Leo command to do something nefarious. For myself, I use a javascript blocker in my browser. It would be best if the read-only representation of a Leo outline wouldn't need to import any script packages, for then a script blocker won't need to be told to make an exception, which once again could become a security matter. I don't believe BitDefender would likely detect malicious .leo file. They would likely constitute a Day zero exploit <https://en.wikipedia.org/wiki/Zero-day_vulnerability>. *Summary* Before exploring this topic further, I believe Brian should consult with his management to determine whether there are any acceptable use cases for using any form of Leo, including .html files. Edward -- You received this message because you are subscribed to the Google Groups "leo-editor" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/d/msgid/leo-editor/e85caf93-9854-41dd-b237-29922c9d6c68n%40googlegroups.com.
