Patrick Bass Area: mobieusKnow (audit p6) · Surface: mobieusKnow mobile editor (link toolbar button) · Dimension: native-dialogs · Severity: major
Native browser prompt() is explicitly banned across the platform (no_native_browser_dialogs memory: confirm/alert/prompt banned; use data-confirm or App.modal). On mobile this is the worst place for it — the native iOS/Android prompt ignores the theme, looks like a phishing/malware popup, and breaks the otherwise-polished mobile-v2 shell. Every other mobieusKnow surface correctly uses App.modal.prompt (queue.php) or data-confirm. The desktop editor inserts links via wrapSel('[','](url)') with no dialog at all, so mobile is the only surface that pops a native dialog.
Evidence
platform/templates/mobile/knowledge/editor.php:183-190 — function insertLink() { var s = ta.selectionStart, e = ta.selectionEnd; var sel = ta.value.slice(s, e) || 'link text'; var url = prompt('URL:', 'https://'); if (!url) return; ...}. The toolbar Link button (line 107, data-md-link) calls insertLink() on tap (line 196).Suggested fix. Replace prompt() with App.modal.prompt(title, message, options, onConfirm) the same way queue.php does, or insert a placeholder '[text](url)' and let the user fill the URL inline (matching the desktop wrapSel approach). Guard for App.modal absence with a graceful no-op fallback.
Filed by the automated tenant-app audit and adversarially evidence-verified. Status: verified. Open — not yet actioned.
Patrick Bass
@mobieus
