On Sat, 29 Aug 2015 11:43:24 -0700 (PDT)
john lunzer lun...@gmail.com wrote:
The title of this post plays off past titles by new users. I've just
had an email exchange with a new user who was thoroughly confused
with abbreviations. Basically he just wanted to use the hl;;
abbreviation for inserting the headline text into a body but could
get them working. This is no surprise as the information regarding
getting abbreviations working is spread across five different
locations:
- YouTube
- http://leoeditor.com/abbreviations.html
- http://leoeditor.com/commands
- leoSettings.leo
- exampleSettings.leo.
No single location provides all the necessary information to make
full use of abbreviations. Furthermore it is impossible to get to
abbreviations.html from the leo search (this bug is documented).
I think there's a fix on the way for searching on http://leoeditor.com/
exampleSettings.leo sounds like a bad place for anything to send up,
seeing I didn't even know it existed.
My proposal is to enable abbreviations AND scripting-abbreviations by
default to help spread their use. They're very useful and very
powerful. I don't see how they are any more of a security risk that
Ctrl+B (exec current node). Assuming a malicious contributor was able
to sneak in a dangerous abbreviation it would be highly unlikely that
a user would accidentally type in even something as simple as a;; to
execute it.
Please let me know your thoughts.
I don't think you're very good at malice :-) If I wanted someone to
trigger evil code by typing an abbreviation, I'd probably go with
and rather than a;; :-)
So the scenario is getting a .leo file from someone malicious; how
easily can that file do harm? Well, the code base *tries* to block
the most obvious routes - Ctrl-B I hadn't really thought of but that's
something you have to do consciously, even though realistically just
putting the bad stuff far enough down the page to make it harder to see
is obviously a risk. But bottom line you deliberately (finger fumbles
aside) executed code from a source your were choosing to trust.
I'd like to hear what Edward thinks. But the other fix is to make
enabling abbreviations easy to discover and easy to do, with maybe a
warning about the risk thrown in.
There's the Abbrev menu under the Cmds menu and the possibility of
adding things under the Settings menu - the new Edit settings menu
could link to / help manage abbreviation relevant @settings.
Cheers -Terry
--
You received this message because you are subscribed to the Google Groups
leo-editor group.
To unsubscribe from this group and stop receiving emails from it, send an email
to leo-editor+unsubscr...@googlegroups.com.
To post to this group, send email to leo-editor@googlegroups.com.
Visit this group at http://groups.google.com/group/leo-editor.
For more options, visit https://groups.google.com/d/optout.