Skip to Content.
Sympa Menu

devel - Re: [sympa-developpers] what's the point of shipping a wysiwyg javascript editor in sympa ?

Subject: Developers of Sympa

List archive

Re: [sympa-developpers] what's the point of shipping a wysiwyg javascript editor in sympa ?

Chronological Thread  
    < Chronological >       < Thread >
  • From: David Verdin <address@concealed>
  • To: address@concealed
  • Subject: Re: [sympa-developpers] what's the point of shipping a wysiwyg javascript editor in sympa ?
  • Date: Tue, 11 Dec 2012 11:04:06 +0100
Ach...
Le 10/12/12 17:42, Guillaume Rousse a écrit :
address@concealed">Hello list.

I just discovered the presence of the 'src/etc/scripts/js/tinymce' directory in sympa sources, containing a _javascript_ wysiwyg editor.

I'm wondering about the usefulness of such kind of code, given than:
- it is oudated: current version is 3.5.8, sympa ships version 3.3.7
- it contains a nice list of security exploits (http://seclists.org/fulldisclosure/2011/Nov/427)
- its authors apparently never heard of XSS and other browser-based exploits, as they proudly claim "TinyMCE in itself can not be insecure" (http://www.tinymce.com/wiki.php/Security)
- its current installation procedure in sympa is broken, due to the use of "mv" in src/etc/scripts/js/Makefile.am: just try to run 'make install' twice, for instance
- its current installation procedure just pushes every file in tinymce distribution in a web-accessible directory, including documentation, examples, etc...
OK for all: We should simply remove it. However, see below:
address@concealed">- and even if it was the best piece of code available, with a perfect installation procedure, what's the purpose of an online editor for a mailing-list server ?
Is has two intended purposes:
1- allow to edit HTML shared documents. It looks weird but is an actual, if marginal, usage of Sympa.
2- allow to compose HTML newsletters in the web interface. It is almost done. The only point is that we still don't create an multipart/mixed message with the HTML code we receive. So it is completely unusable for now. This is an example of work we stared and were never able to complete due to life that keeps on happening over and over...

So there is no point in distributing tinyMCE for now - and, considering the security issues you pointed, forever. This is not a problem, as what WYSIWYG editor is used is actually configurable in the Sympa config.

I suggest the following:
  • getting rid of any distributed WYSIWYG editor.
  • Keeping the other parts of the code unchanged so that we can finish, when we have a full half hour in front of ourselves, the HTML composing feature.

Cheers,

David

address@concealed">
So, should we really take the time to fix its installation ?


Attachment: smime.p7s
Description: Signature cryptographique S/MIME


Archive powered by MHonArc 2.6.19+.

Top of Page