CVE-2020-36767: alert leads to code execution on Linux · Issue #25498 · servo/servo

I’d like to mention two possible ways forward from this:

1
I really like how direct and straightforward https://github.com/saurvs/nfd-rs is compared to tinyfiledialogs. Unfortunately, part of that directness is that nfd-rs has just file dialogs, not simpler things like alert boxes and input boxes which we currently also use from tinyfiledialogs.

I think it might make sense for someone with access to Windows/Linux/Mac buildchains, as a slightly ambitious but pretty reasonable project, to fork nfd-rs and its C upstream, clean up any dependency conflicts it might have with Servo, and add those simpler cases to it.

2
Another possibility would be to build our own dialogs within the glutin or winit ecosystem. We’re already making buttons and input boxes as part of HTML layout, so there should be no technical reason why we can’t make dialogs (assuming getting a popup window isn’t much harder than I imagine). That would maximize look-and-feel consistency and minimize the number of places in the code we’re calling out to the native graphics library.