Re: gnome-devel-list digest, Vol 1 #777 - 5 msgs

[David Wheeler <dwheeler ida org>]

> Date: Wed, 13 Mar 2002 13:07:51 -0500
> From: "Manuel Amador (Rudd-O)" <amadorm usm edu ec>
> To: gnome-devel-list gnome org
> Subject: Re: 1:30am URL handler idea
>
>
> --------------090408030703060406050307
> Content-Type: text/plain; charset=us-ascii; format=flowed
> Content-Transfer-Encoding: 7bit
>
> Bradford Hovinen wrote:
>
>
> > On Fri, 2002-03-08 at 01:43, Sean Middleditch wrote:
> >
> >
> > > Heya everyone...
> > >
> > > Assuming that the URL handler configuration is going to stay in GNOME
> > > (for the various URL types, like SMB and mailto and such), the
> > > configuration is a pain for the average user.
> > >
> > > What I was thinking was that applications could set (in some kind of
> > > database - most likely gconf) a set of type/name/command settings. 
> > > I.e., Evolution would have, for URL type "mailto", an entry with name
> > > "Evolution" and command "evolution '%s'".
> > >
> > > Now, in the URL configurator, for each URL type, there would be a drop
> > > down box containing all the registered apps (plus one entry for custom,
> > > along with a blank line, or also None).  Thus, if I had Balsa,
> > > Evolution, Althea, etc. installed, I could go to the CC and just select
> > > "Balsa", instead of typing in a command string (which is mean to ask of
> > > newbies/idiots).


Improved support for URLs is _great_, I think that widespread
easy-to-use support would really help users.
Think of your local system as if it were a world-wide-web, where users
can easily click to go from one object to other.
E.G., from Nautilus you see a file, you can right-click to go to
the package description showing where it came from,
and/or the documentation related to it, and type in
search commands that would display anything (info, man, etc.).
Man pages could have hypertext links to info pages, etc.

HOWEVER, be careful how you implement the "execute this program"
command, because some of those URLs are from untrusted users.
Depending on how it's implemented, you might be subject
to attack from people who create pages like this:

<a href="http://www.yahoo.com'; rm -fr /">click here</a>.

This is easy to counter; the program to invoke URLs can check
if it's a valid URL, and the code can be written so that URLs aren't
interpreted by the  shell (e.g., vulnerable to shell metacharacters).


--- David A. Wheeler