Hi,
I just spent an hour trying to figure out how to post the PostgreSQL
Weekly News through the new web form after I spent this morning and
into this afternoon writing it. It would be an understatement to
describe that latter process as onerous and unpleasant.
The attempt to disallow HTML by checking for < in a regex is not super
handy, and it's probably not secure either.
https://git.postgresql.org/gitweb/?p=pgweb.git;a=commitdiff;h=b3e9a962e4514962a1fdbf86b8cdbae3103e76e9
I went and found a library Python provides called Bleach
(https://bleach.readthedocs.io/en/latest/), which should do a much
better job.
Please fix this either by making something that highlights the
offending section(s) so people have some idea what to fix, or renders
them harmless automatically, whichever seems easier. I went to the
trouble of tracking this down because I have a lot of readers each
week who expect me to get it there, but I doubt anyone else who ran
into this bothered.
Best,
David.
--
David Fetter <david(at)fetter(dot)org> http://fetter.org/
Phone: +1 415 235 3778
Remember to vote!
Consider donating to Postgres: http://www.postgresql.org/about/donate
