Beta: why no possibility to launch other urls than http(s)?

edited December 17, 2019
After the latest commit::::::::::::::, https://github.com/zotero/zotero/commit/df40ee7216ac8d422a618336f768dd69116555ee, there doesn’t seem to be any possibility to launch attached URI-links other than http(s) from Zotero.
Is this really intended behaviour? There has been the possibility too add such links to note-taking apps (see: ::::::https://github.com/zotero/zotero/blob/df40ee7216ac8d422a618336f768dd69116555ee/chrome/content/zotero/xpcom/attachments.js#L623) but it seems like these won’t be possible to open now? I get the error "launchUrl() requires an HTTP(S) URL" when trying to open such an url.

Was this intended?

I very much depended on this behaviour, and I guess some other people also do.

I actually used to build my own Zotero with some small changes just to be able to link into emacs and org-mode via "org-protocol" urls. See: https://github.com/zotero/zotero/compare/master...andersjohansson:customValidUrls. But I recently had problems with the build process, and when looking into solutions saw the latest changes that would make this workflow even more difficult.

Is allowing other protocols to be used a possible security threat? Couldn’t it be disabled by default but allowed to be customized for users who knows what they are doing then?
  • The patch should only affect the URL field -- are you saying you're using that for org-protocol URLs?
    The intended use for URLs to note-taking apps etc. has always been in notes, not in the item metadata. Haven't looked at the code in detail, but I don't see how that would affect URLs opened from notes at first glance
  • No, I’m not putting the custom URLs in the metadata of the item, but via "Attach link to URI..." (which creates an URI-attachment to the item).

    Now, when double-clicking one such link with for example org-protocol (or evernote or whatever), I get the error:

    [JavaScript Error: "launchURL() requires an HTTP(S) URL" {file: "chrome://zotero/content/xpcom/zotero.js" line: 1036}]

    which is exactly the check created in the last commit.

    Without digging much deeper I’d guess this is because of the switched logic in zoteroPane.js in the mentioned commit: launchUrl is called if none of the special cases "chrome", "resource", or "zotero" apply (but the allowed special protocols should also be allowed here). Earlier the default option was to call Zotero.openInViewer.
  • Sorry about that — this should be fixed in the latest beta.
  • Thanks, that’s great!
    My only remaining problem is that the limitation on schemes here:: https://github.com/zotero/zotero/commit/3d2afa9c7fc3ed0685c73dd49c389d5eae58c0d9#diff-9c93d20596380224a97faab26e528866R1035

    It limits url schemes to alphanumeric characters, while it should allow: "a sequence of characters beginning with a letter and followed by any combination of letters, digits, plus (+), period (.), or hyphen (-)"
    https://en.wikipedia.org/wiki/Uniform_Resource_Identifier
    https://tools.ietf.org/html/rfc3986#section-3.1

    (my use of the "org-protocol" scheme still didn’t work ::-))
  • Fixed in Zotero 5.0.81 and the latest beta.
Sign In or Register to comment.