Hyperlinks in terminal emulators(gist.github.com) |
Hyperlinks in terminal emulators(gist.github.com) |
printf '\e]8;;http://evil.com\e\\https://good.com\e]8;;\e\\\n'
WARNING: This has security implications as it allows malicious URLs
to be shown as another URL or hidden.
Make sure you understand the implications before turning this on.
Overall, I think the idea is super interesting, especially the ability to encode in the future other context than URLs with it. Whether actually useful, or just gimmicky, remains to be seen.
<a href="http://evil.com">https://good.com</a>The use-cases provided seem to all just be more or less "it's convenient and looks good", which is the last thing I care about in a situation like that.
allow_hyperlinks ask
> It was, however, not possible until now for arbitrary text to point to URLs, just as on webpages
before saying "oh... no.... I hate this. Please don't."
https://web.archive.org/web/20250324071822/https://gist.gith...
In contrast, in Plumber [1], we have things like !98—this text opens pull request no. 98 by passing "!98" to the local server, which knows how to interpret it.
Both approaches go one step beyond plain text. However, Plumber’s approach, at least, doesn’t compromise the plain text itself by embedding invisible elements.
This eliminates an entire category of risks by design. With no hidden metadata, accidental clicks are less probable and social engineering attacks, such as UI deception, are impossible.
!x has been a shell history expansion since at least csh (1978?).
If you want something half-way between VT220 and Google Chrome, please be original and make something new, rather than wiping your butt on a standard that is still somewhat functioning.
> We have Plumber at home.
> [Plumber at home]...
You can also make your own scheme-handler easily (on Linux at least). I have a `niri://` handler enabling linking to a specific Wayland window. (it has niche usecases :D)
This guy build a pty "proxy" to linkify Claude Code output: https://www.youtube.com/watch?v=GP5TwKnCzhQ
CC already does this with PR/MR/etc links for example (i.e. #123 is clickable and brings you to issue 123 in the repo it's working on)
I wonder though if this is a popular feature. Tilix is under minimal maintenance at the moment, so alternatives would be good to have..
https://www.gnu.org/software//emacs/manual/html_node/emacs/B...
As for the python backtrace, what you need is to set `compilation-error-regexp-alist` and use `compilation-minor-mode`.
https://www.gnu.org/software//emacs/manual/html_node/emacs/C...
Edit: the same applies to diffs generated by /bin/diff. Most of the time, diff strings are unique enough to locate them by plain text searching.
Am I reading it wrong or is this seriously saying "this is secure because it's like web browsing"?
I don't want things to be silo'd just because I run them in the GUI Vs the terminal.
I was working on image compression, and we had a script where we would render a column with the original image link, and a column with the new compressed image, and a column with the relative percentage of size to PNG, and there would be like 200 rows at a time.
I managed to somehow accidentally click on a link in iTerm, my browser opened, and I discovered what "sounding" [1] is, on a company computer, in the company office.
I saw it, whispered "oh fuck!", and quickly killed my browser. I don't think anyone saw me but I was extremely worried that I was going to get fired on my second day of work for viewing porn on a company computer in front of everyone, even though it was a legitimate accident.
So now I don't want my links to be clickable. If there's a link I'll highlight it and paste it into Firefox manually.
[1] If you do not know what sounding is, I do not recommend you look it up, just know that it's a weird sex thing that I wish I didn't know about and cannot unsee.
here's coming from markdown
LINK = ["\033]8;;", "\033]8;;\033\\"]
re.sub(r"\[([^\]]+)\]\(([^\)]+)\)", process_links, line)
def process_links(match):
description = match.group(1)
url = match.group(2)
return f'{LINK[0]}{url}\033\\{UNDERLINE[0]}{description}{UNDERLINE[1]}{LINK[1]}'Also, sounding isn't a weird sex thing per se; it's a mundane (and somewhat painful) medical procedure. One that some people happen to coincidentally have a kink for, mostly due to the discomfort involved. But "some weird people having a kink for medical procedure X" is true of many/most medical procedures.
Fun trick not a lot of people know -
In a web browser, links which are normally clickable become UN-clickable if you hold a modifier. On a mac, it's (option). It's helpful if you want to select text inside a large link (or in a button) so you can copy it.
I had gotten it in my head that the way that you highlight a line in iTerm (and I have no idea where I heard this or why I thought it) was holding command and clicking on the line. It was a mistake I made exactly once.
I am afraid I didn't investigate sounding after I saw the horrifying image; I only learned the name for it after I described the image to someone and they told me what it was; I guess I assumed it was just a weird sex thing, I didn't realize that there was any practical medicine stuff to it.
Though a good terminal should let you control whether you want to render the anchor text, show you the underlying link when you focus/hover/click it, etc.
Granted, on its own, this should be safe. But attacks are usually composed from multiple bugs and/or weaknesses in design. Hence why security folk keep talking about “defence in depth” — ie not to rely on the security of any single facet but instead layering your security just in case any one particular layer does prove to be insufficient.
This is why in my own terminal emulator I implemented hyperlinks via user defined RegEx. The terminal user gets to decide what text becomes click-actionable rather than the attacker.
I actually voiced some concerns with this original hyperlink proposal several years back. In fact lots of developers and security researchers did. And the gist authors response was to delete the replies and turn off comments. Which adds additional concern about this proposal. It follows no process, no feedback, nothing. Just one persons mission to dictate how everyone else’s terminal, and security model, should operate.
CORS has no relation to this issue. Cross-origin means there are at least two origins, but in this case there is only one (where you're trying to navigate).
> But if request is originating from inside the network (as it would from a terminal emulator)
Why would the terminal make requests? Obviously it will dispatch the link to another program specialized in making requests to a protocol, like... a browser?
> Granted, on its own, this should be safe. But attacks are usually composed from multiple bugs and/or weaknesses in design. Hence why security folk keep talking about “defence in depth”
Every feature can be part of an exploit chain, but the "clicking a URL will always lead to the text it is under" ship has sailed 30+ years ago. If your system cannot safely handle this operation then you're in deep trouble, and I don't see how crippling every program in existence is the right solution to that.
> I actually voiced some concerns with this original hyperlink proposal several years back. In fact lots of developers and security researchers did.
Based on what you've written: you and other self-claimed "security researchers" started spamming this spec with concern trolling about hypothetical (non-existent) "security issues", then the author finally got tired and locked down comments, which were obviously intended for people interested in the feature, not those trying to sabotage it.
> Just one persons mission to dictate how everyone else’s terminal, and security model, should operate.
Nowhere does the proposal say that your terminal has to implement this. Indeed, if you have a working ANSI parser the escape sequence is ignored automatically (as the spec also explains).
Have you considered that the person trying to dictate how others' terminals should operate might be you?
e.g. "Log in to receive your bitcoin: https://colnbase.com" (phishing)
Yes, that’s exactly my point. With websites you need two clicks to be compromised, but with a shell session you only need one.
> Why would the terminal make requests? Obviously it will dispatch the link to another program specialized in making requests to a protocol, like... a browser?
Social engineering is rife in browsers and this proposal offer almost nothing to prevent that from happening in the terminal
> Every feature can be part of an exploit chain, but the "clicking a URL will always lead to the text it is under" ship has sailed 30+ years ago. If your system cannot safely handle this operation then you're in deep trouble, and I don't see how crippling every program in existence is the right solution to that.
Again, that’s exactly my point. Terminal emulators are not designed around preventing these kinds of problems and this proposal does nothing to address that concern.
> Based on what you've written: you and other self-claimed "security researchers" started spamming this spec with concern trolling about hypothetical (non-existent) "security issues", then the author finally got tired and locked down comments, which were obviously intended for people interested in the feature, not those trying to sabotage it.
Wow, just wow. There’s taking a comment in bad faith and there’s what you’ve just done. Thanks for calling people trolls just for trying to discuss genuine security concerns.
> Nowhere does the proposal say that your terminal has to implement this. Indeed, if you have a working ANSI parser the escape sequence is ignored automatically (as the spec also explains).
Except the author of this proposed started spamming other projects asking them to implement it. How do you think this random gist became so infamous? It wasn’t stumbled upon by chance.
> Have you considered that the person trying to dictate how others' terminals should operate might be you?
This is another bad faith argument because I’m not the one pushing any proposals nor agenda here. I’m just offering some expertise.
As I said before, I have actually implemented hyperlinks in an open source terminal emulator which I contribute to. But we did it in a completely different way that ensures the terminal user has control over the links rather than an attacker.
And if other terminal maintainers want to follow this proposal verbatim then that’s their choice. I’m not stopping them. But it also doesn’t make my concerns any less valid.