[Feature] Generic User Configurable Code Fence Interpreter #5871
Comments
|
Very nice, would love to see this! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
Idea:
Allow the code-fence language selector to feed the content inside a code-fence to a user-configurable interpreter/processor. The user interface should be similar to how mermaid is currently implemented, but configurable with a locked-down config file.
Example Markdown:
``` LANG
example input to generic processor
```
Search/resolution order:
This way certain trusted configurations could be pre-packaged with Typora and overridden/added to by users. Pre-packaged interpreters could be things like Mermaid, or any one of the many requests on #1138.
Config Example:
Different output types could improve functionality. For example, if there was a stream interface for video, a user could procedurally generate/collect video that could be displayed in Typora. Could also specify a location for output products / execution along with many other variables.
Example Execution:
Example Rendering:
After executing the custom processor, the output.jpg file would then be rendered into the final document as an image in this example.
If the output product was some additional markdown, that could be rendered as well (with care to prevent deep recursion).
Justification:
Security Concerns:
Giving markdown files the ability to execute programs by rendering them has security implications similar to macros in office programs. One additional security concern would be if an underlying executable had some exploitable bug. I think that guarding the configuration file and letting users know that the feature is potentially dangerous should encompass most concerns. Security is not my expertise.
Ideas for Addressing Security:
Closing:
I've really enjoyed using Typora because it is minimalistic, fast, and intuitive, but it is held back by a lack of user definable extensions. Using functions defined by code-fences that don't automatically know how to execute (since the executable configuration context is locked-down and local) would be a great compromise between a complete extension environment and what we have right now: nothing at all. This feature would provide a unique way to interact with markdown that other markdown editors don't offer, and since this feature leverages code-fences, it would not make markdown files naturally incompatible with vanilla markdown. Furthermore, it would relieve the burden on the Typora team to update and integrate third-party libraries. For example, Mermaid is currently 2 updates behind in Typora, and #1138 has a long list of awaiting integrations going back 5 years. As far as security is concerned, there is a limit to how much anyone can protect people from themselves. Naturally disabling and warning users who enable/whitelist files is probably as secure as a feature like this could be, and people susceptible to an attack by this vector, are also susceptible by many other vectors ("Please download, enable, and run my Microsoft macro..."). Lastly, this feature is not explicitly out of line with the vision of Typora since code-fence based rendering is how current offerings like Mermaid are interfaced with.
The text was updated successfully, but these errors were encountered: