Skip to content

Improve MHonArc resource file

David Verdin requested to merge github/fork/ikedas/issue-1091_imp1 into sympa-6.2

Created by: ikedas

This is proposal of extensive change for #1091.

  • Use <% ... %> instead of variable tags in MHonArc resource file
  • Rename resource file
  • Incidental measure

Use <% ... %> instead of variable tags in MHonArc resource file

According to history, at the first time MHonArc resource file adopted TT2, the tags <-% ... %-> were used [1]. But it was changed to (-% ... %-) by the reason that "archives were not properly TT2 parsed" [2]. In fact, if current code is modified to use that tags, extracted archive page may contain the lines such as:

<!--X-Derived: #60#45% path_cgi %#45>/viewmod/listname/.../pngVTalOgmofN.png -->

This is not well-formed if it was parsed as XHTML or HTML 4. However it is legitimate comment for HTML5.

Afterward, (xxx% ... %xxx) (xxx is variable text) were introduced to make tags unpredictable so that (maybe) code injection would be prevented [3]. However, strictly logically speaking, this is not a perfect measure. On the other hand, the texts including < and > cannot be injected thanks to MHonArc that escapes input.

Therefore, now we would be better to use secure tags <% ... %> instead of variable tags.

Rename resource file

The French spelling "ressources" would be better to be avoided.

Furthermore, names consisting of alphanumeric characters and dot(s) only (and optionally hyphen(s)) should be avoided as they may conflict with the domain name: SYSCONFDIR can contain the directories named by domain.

Suggested name is mhonarc_rc.tt2.

Incidental measure

Existing mhonarc-ressources.tt2 will be converted to mhonarc_rc.tt2 during upgrading process.

[1] sympa-community/historic-sympa@e1d3d41, src/etc/mhonarc-ressources (2004-05-06) [2] sympa-community/historic-sympa@c1e50fa (2004-06-24) [3] sympa-community/historic-sympa@eb39494 (2004-12-02) and sympa-community/historic-sympa@96197b2 (2004-12-14)

Merge request reports