Headline
CVE-2023-2317: Typora 1.6
DOM-based XSS in updater/update.html in Typora before 1.6.7 on Windows and Linux allows a crafted markdown file to run arbitrary JavaScript code in the context of Typora main window via loading typora://app/typemark/updater/update.html in <embed> tag. This vulnerability can be exploited if a user opens a malicious markdown file in Typora, or copies text from a malicious webpage and paste it into Typora.
From this version, Windows 7, 8, 8.1 are no longer supported. For older Windows support, please check here.
“Files” Section in Preferences Panel
In this version, we rearranged groups in Preferences Panel, and added a new group “Files” in Preferences Panel for files related configs.
Some new options are added:
- Typora now allow user to set default file extensions when save file or add new file in files sidebar.
- Typora now allow user to config actions when drop file or folders into Typora, currently it provides following two options:
- Open or import the file / folder in Typora
- Insert a file link into Typora
Options to Disable Auto Links
You can now config whether Typora should auto recognize and render links from Preferences Panel → Markdown → Syntax Support.
When Auto Links is disabled, links like https://typora.io or mailto:[email protected] in the markdown document will NOT rendered as <ttps://typora.io> or [email protected].
But you can use syntax like title or <url> to insert links.
When Auto Links is enabled, links like https://typora.io or mailto:[email protected] in the markdown document will rendered as <ttps://typora.io> or [email protected] automatically.
Default Code Language
You can now set default code language for code blocks from Preferences Panel → Code Fences.
And Typora provides some apply options:
- Apply default code language when add code fences from menubar, context menu, or from shortcut keys.
- Apply default code language when add code fences by input markdown syntax ```. You can press Backspace key or Undo to delete auto applied code language.
- Apply in both cases.
Auto Apply Code Language for Code Blocks inserted from menu
Auto Apply Code Language for Code Blocks inserted from Markdown
You can also choose Last Used to auto apply last used code language when insert new code blocks.
Timeline Diagram
Typora now upgrade mermaid library to version 10, and timeline diagram is now supported.
We also added a link for diagram configurations in Preferences Panel → Markdown → Syntax Support → Diagrams.
Other Changes****Thai Language Support
Typora now speaks Thai, thanks to ARMnunf!
PicList as an Image Uploader
Typora now added PicList as an image uploader service. See here for more details.
Other Improvements
- Add PEG.js syntax highlight support.
Privacy & Security Updates
- Fix CVE-2023-2317
- Fix CVE-2023-2316
- Avoid using google font mirrors in exported HTML, now official google font CDN is used.
Bug Fix
- Fix using keyword[“keyword”] sometimes causes node not rendered in Mermaid diagram.
- Fix color of typic package not readable in dark themes.
- Fix setting inline mermaid configs may also affect other mermaid blocks.
- Fix tasks status cannot be changed from menu bar when task list is under nested lists.
- Fix math block is always auto numbered in exported docx and related setting is ignored.
- [Spec change] Typora now allow users to escape : mark to avoid input unwanted emoji codes.
Notice for Windows
From this version, Windows 7, 8, 8.1 are no longer supported.
For older Windows support, please check here.
Related news
Improper path handling in Typora before 1.7.0-dev on Windows and Linux allows a crafted webpage to access local files and exfiltrate them to remote web servers via "typora://app/typemark/". This vulnerability can be exploited if a user opens a malicious markdown file in Typora, or copies text from a malicious webpage and paste it into Typora.