Boyuan Yang wrote:
> Source: prayer
> Version: 1.3.5-dfsg1-8
> Severity: grave
> X-Debbugs-CC: holmg...@debian.org
> User: tidy-ht...@packages.debian.org
> Usertags: tidy5.8
>
> your package uses some of Tidy's unexported internal
> functions that are explicitly hidden in Tidy 5.8 [...]
> I believe this change is intentional by upstream, and will not be changed in
> the forseeable future. Please consider fixing the build by removing the use of
> internal Tidy functions. Thanks!
Hi, I am a nosy bystander.
I eyeballed these two references:
https://sources.debian.org/src/prayer/1.3.5-dfsg1-8/session/html_secure_tidy.c/#L274-L334
https://api.html-tidy.org/tidy/tidylib_api_5.8.0/group__parser__h.html#ga46769d54f0a1bcfd801d60c34eb563e7
Is it sufficient to simply change "prvTidyDiscardElement to "TY_DiscardElement"?
The TY_DiscardElement docs say "TY_Private".
Does that mean "you're not allowed to call this, either"?
If so, we can build prayer without tidy at all.
Prayer will then use an older in-house HTML sanitizer:
https://sources.debian.org/src/prayer/1.3.5-dfsg1-8/Config/?hl=16#L16
https://sources.debian.org/src/prayer/1.3.5-dfsg1-8/session/Makefile/#L27-L35
The whole purpose of html_secure*.c is to "safely" embed an attacker's
untrusted HTML (the email) inside trusted HTML (the webmail app).
The code predates things like Content-Security-Policy (added circa 2013),
so it's probably *NEVER* safe, regardless of whether tidy is or isn't used.
Prayer is abandoned upstream since the 201x's.
I can't find a direct citation, but here's the last time the "homepage" existed:
https://web.archive.org/web/20161129034822/http://www-uxsup.csx.cam.ac.uk:80/~dpc22/prayer/
https://web.archive.org/web/20130701184507/http://www-uxsup.csx.cam.ac.uk/%7Edpc22/
