Importing a config with the Custom JS widget breaks extension version
Closed this issue · 1 comments
On the web version of Tabliss and Tab Nine (Tab Nine web edition is currently not hosted anywhere), there is the ability to add a custom JavaScript widget. While this is a very powerful feature, the execution of arbitrary code is currently forbidden by most web stores - for good reason.
However, exporting a config from the web version and then attempting to use that config on the extension version will cause Tab Nine to be unable to load.
This is a serious issue, as it is then difficult to reset Tab Nine to a working state. While trivial for a user who knows their way around developer tools, a non-technical user will have no chance of fixing this themselves (although one could argue that no non-technical user would be writing Javascript, and thus if they get in this situation would know how to escape it).
Regardless, this is a bug that needs to be fixed in order to prevent this from happening again.
Possible Fixes
- Remove the custom JS widget entirely
- Add a check that runs during import of json that blocks custom JS (and present a warning)
- Don't export the custom JS in the first place
Fixed by creating a failstate where 'unknown widget' is used as a placeholder for expected widget