Developers of Sympa

[Guillaume Rousse <address@concealed>]

Hello list.

I just discovered the presence of the 'src/etc/scripts/js/tinymce' 
directory in sympa sources, containing a javascript wysiwyg editor.

I'm wondering about the usefulness of such kind of code, given than:
- it is oudated: current version is 3.5.8, sympa ships version 3.3.7
- it contains a nice list of security exploits 
(http://seclists.org/fulldisclosure/2011/Nov/427)
- its authors apparently never heard of XSS and other browser-based 
exploits, as they proudly claim "TinyMCE in itself can not be insecure" 
(http://www.tinymce.com/wiki.php/Security)
- its current installation procedure in sympa is broken, due to the use 
of "mv" in src/etc/scripts/js/Makefile.am: just try to run 'make 
install' twice, for instance
- its current installation procedure just pushes every file in tinymce 
distribution in a web-accessible directory, including documentation, 
examples, etc...
- and even if it was the best piece of code available, with a perfect 
installation procedure, what's the purpose of an online editor for a 
mailing-list server ?

So, should we really take the time to fix its installation ?

--
Guillaume Rousse
INRIA, Direction des systèmes d'information
Domaine de Voluceau
Rocquencourt - BP 105
78153 Le Chesnay
Tel: 01 39 63 58 31

Attachment: smime.p7s
Description: Signature cryptographique S/MIME