tisdag 31 maj 2022 kl. 16:11:03 CEST skrev Trent W. Buck: > https://sources.debian.org/src/prayer/1.3.5-dfsg1-8/session/html_secure_tid > y.c/#L274-L334 > https://api.html-tidy.org/tidy/tidylib_api_5.8.0/group__parser__h.html#ga46 > 769d54f0a1bcfd801d60c34eb563e7 > > Is it sufficient to simply change "prvTidyDiscardElement to > "TY_DiscardElement"? > > The TY_DiscardElement docs say "TY_Private". > Does that mean "you're not allowed to call this, either"?
You mean TY_(DiscardElement)? TY_() is simply a macro that prepends "prvTidy" to the function name, but it's internal, which is why Prayer called it as prTidyDiscardElement(). What changed, however, is that those internal functions are now hidden so you _can't_ link them. At the same time, there is a public version now, tidyDiscardElement(), but there is no public tidyAddAttribute(), which is where we get stuck. > If so, we can build prayer without tidy at all. > Prayer will then use an older in-house HTML sanitizer: > > https://sources.debian.org/src/prayer/1.3.5-dfsg1-8/Config/?hl=16#L16 > > https://sources.debian.org/src/prayer/1.3.5-dfsg1-8/session/Makefile/#L27-L > 35 Well, not automatically. It's not bundled with the Prayer source. I don't know if it can be found anywhere. > The whole purpose of html_secure*.c is to "safely" embed an attacker's > untrusted HTML (the email) inside trusted HTML (the webmail app). > The code predates things like Content-Security-Policy (added circa 2013), > so it's probably *NEVER* safe, regardless of whether tidy is or isn't used. > > Prayer is abandoned upstream since the 201x's. > I can't find a direct citation, but here's the last time the "homepage" > existed: > > https://web.archive.org/web/20161129034822/http://www-uxsup.csx.cam.ac.uk:8 > 0/~dpc22/prayer/ > https://web.archive.org/web/20130701184507/http://www-uxsup.csx.cam.ac.uk/% > 7Edpc22/ Yeah, it may be time to let Prayer go. It's not exactly modern, and I don't even use it myself. -- Magnus Holmgren holmg...@debian.org Debian Developer
