On 18/05/2024 02:25, Stefan Monnier wrote:
Actually I've been tempted to teach my mail reader to transform HTML into some lightweight markup (yeah, you need a bit of heuristics for that ;-) -- say Org, but why not its poor sister Markdown.Please don't settle for markdown. I would love a org filter! org-mode just handles tabular data admirably 🙂Just beware that Org's code is generally written under the implicit assumption that the Org document is trusted, so if you try to reuse parts of Org's code to do the rendering be extra mindful of the potential for security holes.
Leaving aside that in bookworm emacs has not got an update fixing a serious security issue, do you have an example of HTML to Org converter that may generate unsafe markup?
Specifically to tables, I do not like that arbitrary code may be executed in response to TAB or C-c C-c. However I am unsure if formulas may appear in an Org file converted from HTML.
emacs-orgmode. Re: [BUG][Security] begin_src :var evaluated before the prompt to confirm execution. Fri, 28 Oct 2022 11:11:18 +0700.
https://list.orgmode.org/tjfkp7$ggm$1@ciao.gmane.io
[ This applies to many other ELisp packages, of course; it's not exclusive to Org. ]
Yesterday reading bug reports and emacs-devel threads related to emacsclient-mail.desktop, I noticed the following:
IMHO we should stop kow-towing to the information security people who make a huge fuss over every single bug, especially bugs like this one which only show up when you specifically try to trigger them.