Re: Bugs in new announcement system - Mailing list pgsql-www

On Sun, Nov 08, 2020 at 06:25:17PM +0100, Magnus Hagander wrote:
> On Mon, Nov 2, 2020 at 1:10 AM David Fetter <david@fetter.org> wrote:
> >
> > Hi,
> >
> > I just spent an hour trying to figure out how to post the PostgreSQL
> > Weekly News through the new web form after I spent this morning and
> > into this afternoon writing it. It would be an understatement to
> > describe that latter process as onerous and unpleasant.
> 
> The expectations that you might need some extra time on it is why we
> notified you of the changes ahead of actually making them, and offered
> to help with any issues or questions you had around it...

When was this?

> > The attempt to disallow HTML by checking for < in a regex is not super
> > handy, and it's probably not secure either.
> 
> Fully agreed, that's a quick stop-gap measure put in earlier, that
> should've been replaced.
> 
> > I went and found a library Python provides called Bleach
> > (https://bleach.readthedocs.io/en/latest/), which should do a much
> > better job.
> 
> Yeah, that seems a lot more useful.

> > Please fix this either by making something that highlights the
> > offending section(s) so people have some idea what to fix, or renders
> > them harmless automatically, whichever seems easier. I went to the
> 
> Do you have any suggestions for how to actually accomplish such highlighting?

I'd imagine that the thing that can tell there's HTML in there can
also tell where it is and hand back a line number at a minimum.

> There are also some further issues around the preview code for that,
> since it uses a different markdown engine, but that one already has
> some issues so we should probably try to figure that part out at the
> same time.
> 
> 
> > trouble of tracking this down because I have a lot of readers each
> > week who expect me to get it there, but I doubt anyone else who ran
> > into this bothered.
> 
> Well, nobody else has reported any problems, but my guess is nobody
> else has tried pasting HTML before :)

I did not try pasting HTML in there. There was no HTML anywhere in the
newsletter before. What there was was a false positive that I had the
pleasure of tracking down.

What is it precisely that you don't want in HTML? I'm asking because
if you can come up with a list of things you want blocked, a gizmo
that removes same from that AST (er, DOM) seems like the thing that
would actually work and not burden people.

You're inferring that no complaints means no one had problems other
than me. I think a much more likely explanation is survivorship bias,
i.e. lots of people noticed it was buggy and unhelpful, and silently
gave up.

Best,
David.
-- 
David Fetter <david(at)fetter(dot)org> http://fetter.org/
Phone: +1 415 235 3778

Remember to vote!
Consider donating to Postgres: http://www.postgresql.org/about/donate