Re: Bugs in new announcement system

On Mon, Nov 2, 2020 at 1:10 AM David Fetter <david@fetter.org> wrote:
>
> Hi,
>
> I just spent an hour trying to figure out how to post the PostgreSQL
> Weekly News through the new web form after I spent this morning and
> into this afternoon writing it. It would be an understatement to
> describe that latter process as onerous and unpleasant.

The expectations that you might need some extra time on it is why we
notified you of the changes ahead of actually making them, and offered
to help with any issues or questions you had around it...

> The attempt to disallow HTML by checking for < in a regex is not super
> handy, and it's probably not secure either.

Fully agreed, that's a quick stop-gap measure put in earlier, that
should've been replaced.


> I went and found a library Python provides called Bleach
> (https://bleach.readthedocs.io/en/latest/), which should do a much
> better job.

Yeah, that seems a lot more useful.


> Please fix this either by making something that highlights the
> offending section(s) so people have some idea what to fix, or renders
> them harmless automatically, whichever seems easier. I went to the

Do you have any suggestions for how to actually accomplish such highlighting?

There are also some further issues around the preview code for that,
since it uses a different markdown engine, but that one already has
some issues so we should probably try to figure that part out at the
same time.


> trouble of tracking this down because I have a lot of readers each
> week who expect me to get it there, but I doubt anyone else who ran
> into this bothered.

Well, nobody else has reported any problems, but my guess is nobody
else has tried pasting HTML before :)

--
 Magnus Hagander
 Me: https://www.hagander.net/
 Work: https://www.redpill-linpro.com/