2022-09-19
Nyxt 3 Pre-release 2
This release was planned for later, but we've discovered a potential vulnerability in the way we treat internal pages. We consider it necessary to release a new version with a security patch. We urge everyone using Nyxt 3 pre-release 1 to update their installation to be safe.
The vulnerability is the following: we used to read-from-string
Lisp code from the URL path of the pages currently open in all Nyxt buffers. Given that Lisp reader allows code evaluation by default, this could've caused arbitrary code execution in Nyxt. The scope of this vulnerability is quite restricted, though:
- The URL-parsing library we use, QURI, strips off at least the most dangerous constructs, like
#.
reader macro and quasi-quoted lists. - Not all URLs are recognized as readable by the Lisp reader, causing reader errors and thus inability to evaluate the code.
- The vulnerability only concerns Nyxt 3, while Nyxt 2, including the most used Nyxt 2.2.4, are both safe.
Artyom has pushed a fix restricting the URLs being parsed to strictly the internal ones, in commit eebf1f8d7, which is included in the Nyxt 3 pre-release 2.
Dangerous things aside, this pre-release still has lots of other bug fixes and new features added, making for a smooth usage experience and complete browser introspection.
Please feel free to share your feedback on our GitHub issue tracker!
You can download Nyxt 3 Pre-release 2 here.
Notable highlights:
reduce-tracking-mode
cleans widely known tracking query parameters.- Improve the algorithm that determines whether an element is in viewport.
- Rename
nyxt/hint-mode:box-style
tonyxt/hint-mode:style
. - Deprecate
nyxt/hint-mode:highlighted-box-style
and merge it intonyxt/hint-mode:style
. - Remove
hint-mode
's image support by default. - Add
nyxt/hint-mode:compute-hints-in-view-port-p
allowing hints to be optionally computed in viewport. - Add
height
slot toprompt-buffer
. - Add
nyxt/hint-mode:fit-to-prompt-p
minimizing the space taken byprompt-buffer
while navigating hints. - Add
nyxt/hint-mode:show-hint-scope-p
for element highlighting of hinted elements. - Add
marks-actions
that run when marked items onprompt-buffer
change. - Extend
nyxt/hint-mode:style
to accommodate for marked hints. default-modes
can be configured with%slot-value%
.- Add
toggle-maximize
command for maximizing a window. - All copying and pasting commands populate
clipboard-ring
reliably, thus fixing thepaste-from-clipboard-ring
command. - Major improvement of
editor-mode
. execute-command
evaluates arbitrary Lisp code and provides inline documentation for symbols.- Extend keybinding for all keyschemes in
editor-mode
. - Bind
paste-from-clipboard-ring
toM-y
in Emacs keyscheme. - Bind familiar keys for text cutting in
prompt-buffer
.
Bug fixes
- Improve version parsing so that it is aware of pre-releases (notice that it propagates to reader macros such as
#+nyxt-3-pre-release-2
). - Fix touchscreen gestures for VI mode.
- Fix processing via relative paths when opening files.
- Setting
restore-session-on-startup-p
tonil
no longer hangs the browser. - Fix buffer re-attachment from the deleted window.
- Move download hooks to
download-mode
enabling proper typing and adding handlers to them. - Clipboard ring is properly filled on every clipboard action happening inside Nyxt.
view-source
returns an unmodified DOM withoutnyxt-identifier
-s or other Nyxt-specific implementation details.- Fix
history-backwards
by gracefully handling pages that are not yet done loading. - Fix full-screening event handling—status buffer no longer goes off-sync with the full-screened page/video.
Screenshots
Did you enjoy this article? Register for our newsletter to receive the latest hacker news from the world of Lisp and browsers!
- Maximum one email per month
- Unsubscribe at any time