Notepad's new Markdown powers served with a side of remote code execution

They just don't know when to let things be.

Markdown support in notepad is about as useful as a screen door on a submarine.

"All of this [..] can be toggled off"

Nope, not the way to do it.

It should be "toggled on".

Not that I care anyway, Notepad++ is vastly superior and does exactly what I want it to do.

There's Edit

On Windows 11 (and maybe Server 2025, I've not got one to hand to check) they've reintroduced Edit. Which for those of you older than God's dog will remember from back in the MSDOS days. It's how Notepad should be - just a simple text editor. It even supports mouse-clicks for the menus for those too chicken to use a keyboard shortcut.

Ode to Wordpad

Microsoft had a very nice full-RTF editor, Wordpad. It was quite handy for basic formatting of notes on systems without an Office install.

What a bloody mess

See title.

Which dullard thought "I know, I'll fsck up notepad to justify my job today"?

Ask the fly on the wall who saw the feature being developed

Markdown is a general term to describe a family of text formats that generally have these properties

1. It's mostly already readable in its text form

2. each MD format may have one or more converters to render HTML (or similar)

Generating HTML with external inputs is an inherently dangerous practice - not just for MS, as this github page describes - Markdown's XSS Vulnerability (and how to mitigate it).

That page concludes - So, is it all lost? Not really. The answer is not to filter the input, but rather the output. After the input text is converted into full fledged HTML, you can then reliably apply the correct XSS filters to remove any dangerous or malicious content.

Yet the bug MS describes goes further - Attacker needs only to get an unwitting user to open a Markdown file in Notepad and click a malicious link embedded inside. According to Microsoft's explanation, a hacker can exploit the vulnerability to launch "unverified protocols" that load and execute files with the user's permissions. That's another level of permissiveness altogether.

I don't think any mainstream browser would allow execution in the host environment, or even allow saving a file without a message box confirmation. Somebody must have built that feature into Notepad deliberately. It's either 20th century level of naivety, or a nation state plot, or both.

Seriously

Bring back wordpad for all this junk. Let us have a minimal feature text editor we can lock to a don't/size with no silly!

Once upon a time

Once upon a time, I needed a simple text control, wrote it, had fun, and was happy. Then I wondered whether I could package the control into an app, did that, had fun, and was happy. The I wondered whether I could make the app international, translated it into ten languages, had fun, was happy. Then I wondered whether I could publish the app into the microsoft app store, made a web page, wrote privacy statements, uploaded and certified the app, had fun, and was happy. The app was still very simple, no bells, no whistles, and no bugs. The app was free and it was downloaded and used around the world - not often but on most days. I am not sure why anyone needed a simple text editor, but I had fun, and I was happy. Last year, microsoft removed the app from its app store. The report said: "Your product must offer unique lasting value, such as interaction and variety. Content offered provides little value or variety."... and I lived happily ever after.

Settings

I was poking around in Notepad the other day, as I had to use it as NP++ wasn't installed. I found that there are some settings now under settings (cog icon), top right, which allows some of the crap to be turned off, including Word wrap, formatting, not re-opening everything when you re-open the apps, discarding previous session, no spellcheck, no auto correct, no copilot.

Each setting is obviously defaulted to on, which is generally not what you want. Its all very much Wordpad lite now.

I'm also left wondering who the target user base would be for this monstrosity - given that they are driving everyone towards Office 345 and anyone with half a brain will be installing one of the Open Source alternatives if they actually want to write docs for free.

Bring back notepad. Simple, like it should be.

I wonder if Microsoft could publish a simple paper about what their expected use cases are for all the overlapping products that can edit stuff.

everyone reacting here has never experienced symbolics genera.

I'm reminded of a tale from not long after the great Humphrey Lyttelton passed away - in a tribute programme Jeremy Hardy told the story of being on tour for "...Clue", staying in a hotel somewhere in the UK, sharing a table with Humphrey for breakfast.

when Humphrey's order arrived he looked at it for a minute, and then with a big sigh said "Prunes....how in the world do you fuck up prunes?!"

right now if Microsoft was a chef, I wouldn't trust them to boil me an egg :-(