Added External Links extension

[GravityDeficient]

Added External Links extension for attaching external links to characters, mounts, and props.

Make sure that your submission has the following:

• A link to the raw github markdown file with a YAML front matter definition containing:
  • The title of your extension
  • A description of your extension
  • The author
  • A hero image
  • An icon
  • Tags (these will help with your extension's discoverability)
  • A link to your extensions manifest

Please, go through these steps before you submit a PR.

• You have done your changes in a separate branch.

• You have a descriptive commit message with a short title (first line).

• You have only one commit (if not, squash them into one commit).

• Your pull request MUST target the main branch on this repository.

• Your pull request puts your extensions details as the last entry in the extensions.json file

[Several-Record7234]

Just commenting that there's a live discussion about the security and reputational risks of an extension that can present obfuscated (and possibly malicious) URLs from 'within OBR', and the ways those risks could be mitigated.

[GravityDeficient]

Understood. Let me know if you have any feedback on ways to mitigate this. I'm happy to update it. We could use a modal to present the URL to the user so they can see it and let them know the risk. This is part of the reason I only allow the GM to create these links.

[Several-Record7234]

Understood. Let me know if you have any feedback on ways to mitigate this. I'm happy to update it. We could use a modal to present the URL to the user so they can see it and let them know the risk. This is part of the reason I only allow the GM to create these links.

A modal to reveal the link destination would be good, but lookalike URLs would still be an issue for the unwary.

Restricting link creation to GM only is good, perhaps there could also be a modal that warns the user about the risks (eg. "use caution, look at the links first, do you know and trust your GM?", etc.) when the extension's action popover is first opened by each player, that needs to be dismissed before links can be accessed? That would protect against abuse of this tool by malicious/toxic GMs who deliberately gather strangers to play together.

[GravityDeficient]

Great ideas! I'll put together a warning Modal and way to inspect the link with an acknowledgement.

The extension today is already restricted to only GM to create links and I intend to keep it that way, especially after this feedback.

[Several-Record7234]

Great ideas! I'll put together a warning Modal and way to inspect the link with an acknowledgement.

The extension today is already restricted to only GM to create links and I intend to keep it that way, especially after this feedback.

Thanks - I've labelled this as 'needs response' just until you've implemented those changes, so ping us a comment here when you're ready for extension validation and I'll move it forward!

[GravityDeficient]

I've updated the extension to address the concerns in the following ways-

1. Users now get a Risk Acknowledgment when the extension is loaded for the first time for each session.
   Please be aware that clicking on external links may carry risks. Links may be obfuscated and could potentially lead to harmful content. It is essential to exercise caution and ensure you trust the GM before proceeding. Always inspect URLs carefully before clicking.
   Users must click "I Understand" to continue use.

2. I've added a "Copy & Inspect" button. This displays the URL in a notification window and copies it to their clipboard for further inspection.

3. A hover state tooltop was added to the external and modal buttons displaying the URL. This uses the MUI tooltip component.

4. Added URL sanitation with https://github.com/braintree/sanitize-url. URLs which are sanitized or otherwise invalid are disabled and not usable.

Let me know if this is enough or if you'd prefer to see any more changes.

[Several-Record7234]

I've updated the extension to address the concerns in the following ways-

1. Users now get a Risk Acknowledgment when the extension is loaded for the first time for each session.
   Please be aware that clicking on external links may carry risks. Links may be obfuscated and could potentially lead to harmful content. It is essential to exercise caution and ensure you trust the GM before proceeding. Always inspect URLs carefully before clicking.
   Users must click "I Understand" to continue use.
2. I've added a "Copy & Inspect" button. This displays the URL in a notification window and copies it to their clipboard for further inspection.
3. A hover state tooltop was added to the external and modal buttons displaying the URL. This uses the MUI tooltip component.
4. Added URL sanitation with https://github.com/braintree/sanitize-url. URLs which are sanitized or otherwise invalid are disabled and not usable.

Let me know if this is enough or if you'd prefer to see any more changes.

Personally this looks really good to me, thanks! However, I'm not the final gatekeeper, so I'll do the initial verification and then let Mitch and/or @nthouliss assess the residual risk now that you've added these mitigations.

[Several-Record7234]

Validation script and image URLs check out fine. Extension functionality and API usage not checked.

[nthouliss]

Thanks for your patience on this and for the additional changes you made :)