Nyxt 3 Pre-release 2

This release was planned for later, but we've discovered a potential vulnerability in the way we treat internal pages. We consider it necessary to release a new version with a security patch. We urge everyone using Nyxt 3 pre-release 1 to update their installation to be safe.

The vulnerability is the following: we used to read-from-string Lisp code from the URL path of the pages currently open in all Nyxt buffers. Given that Lisp reader allows code evaluation by default, this could've caused arbitrary code execution in Nyxt. The scope of this vulnerability is quite restricted, though:

• The URL-parsing library we use, QURI, strips off at least the most dangerous constructs, like #. reader macro and quasi-quoted lists.
• Not all URLs are recognized as readable by the Lisp reader, causing reader errors and thus inability to evaluate the code.
• The vulnerability only concerns Nyxt 3, while Nyxt 2, including the most used Nyxt 2.2.4, are both safe.

Artyom has pushed a fix restricting the URLs being parsed to strictly the internal ones, in commit eebf1f8d7, which is included in the Nyxt 3 pre-release 2.

Dangerous things aside, this pre-release still has lots of other bug fixes and new features added, making for a smooth usage experience and complete browser introspection.

Please feel free to share your feedback on our GitHub issue tracker!

You can download Nyxt 3 Pre-release 2 here.

Notable highlights:

• reduce-tracking-mode cleans widely known tracking query parameters.
• Improve the algorithm that determines whether an element is in viewport.
• Rename nyxt/hint-mode:box-style to nyxt/hint-mode:style.
• Deprecate nyxt/hint-mode:highlighted-box-style and merge it into nyxt/hint-mode:style.
• Remove hint-mode's image support by default.
• Add nyxt/hint-mode:compute-hints-in-view-port-p allowing hints to be optionally computed in viewport.
• Add height slot to prompt-buffer.
• Add nyxt/hint-mode:fit-to-prompt-p minimizing the space taken by prompt-buffer while navigating hints.
• Add nyxt/hint-mode:show-hint-scope-p for element highlighting of hinted elements.
• Add marks-actions that run when marked items on prompt-buffer change.
• Extend nyxt/hint-mode:style to accommodate for marked hints.
• default-modes can be configured with %slot-value%.
• Add toggle-maximize command for maximizing a window.
• All copying and pasting commands populate clipboard-ring reliably, thus fixing the paste-from-clipboard-ring command.
• Major improvement of editor-mode.
• execute-command evaluates arbitrary Lisp code and provides inline documentation for symbols.
• Extend keybinding for all keyschemes in editor-mode.
• Bind paste-from-clipboard-ring to M-y in Emacs keyscheme.
• Bind familiar keys for text cutting in prompt-buffer.

Bug fixes

• Improve version parsing so that it is aware of pre-releases (notice that it propagates to reader macros such as #+nyxt-3-pre-release-2).
• Fix touchscreen gestures for VI mode.
• Fix processing via relative paths when opening files.
• Setting restore-session-on-startup-p to nil no longer hangs the browser.
• Fix buffer re-attachment from the deleted window.
• Move download hooks to download-mode enabling proper typing and adding handlers to them.
• Clipboard ring is properly filled on every clipboard action happening inside Nyxt.
• view-source returns an unmodified DOM without nyxt-identifier-s or other Nyxt-specific implementation details.
• Fix history-backwards by gracefully handling pages that are not yet done loading.
• Fix full-screening event handling—status buffer no longer goes off-sync with the full-screened page/video.

Screenshots