From owner-svn-ports-head@freebsd.org Thu Jul 9 13:37:39 2015 Return-Path: Delivered-To: svn-ports-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7CA4F9962C2 for ; Thu, 9 Jul 2015 13:37:39 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com [66.111.4.26]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 51BEE12D0 for ; Thu, 9 Jul 2015 13:37:39 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id 24B0920712 for ; Thu, 9 Jul 2015 09:37:36 -0400 (EDT) Received: from web3 ([10.202.2.213]) by compute3.internal (MEProxy); Thu, 09 Jul 2015 09:37:36 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=0sO4R7EEG8G9syU DZw7fXSjbtdg=; b=YzhDYY5CPyHLZ4PExBXFA4vGPksVyLeENoexXzamAN0ZDna +esp/CUEHwcQ+YPGFePh5pQ3uxP9lATP0CS7YzzxixpcKMKU0RAoPmkfOAeW4nUt IDhHnPkPLkTaEp0b8LdY5z24HWVfs5WcTxsQ1lnQej3FKu1HnswWElWNOVk4= Received: by web3.nyi.internal (Postfix, from userid 99) id F3A821018B3; Thu, 9 Jul 2015 09:37:35 -0400 (EDT) Message-Id: <1436449055.3393221.319434617.216F10F4@webmail.messagingengine.com> X-Sasl-Enc: giXW+HdvGdb6zIofUOPu2fnTEoHn2AZqqJLPgVo5ZtY7 1436449055 From: Mark Felder To: Tijl Coosemans Cc: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org, wblock@freebsd.org, hrs@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailer: MessagingEngine.com Webmail Interface - ajax-bfc056ae Subject: Re: svn commit: r391576 - head/security/vuxml Date: Thu, 09 Jul 2015 08:37:35 -0500 In-Reply-To: <20150709150143.22c91137@kalimero.tijl.coosemans.org> References: <201507081705.t68H515b023864@repo.freebsd.org> <20150709150143.22c91137@kalimero.tijl.coosemans.org> X-BeenThere: svn-ports-head@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: SVN commit messages for the ports tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Jul 2015 13:37:39 -0000 On Thu, Jul 9, 2015, at 08:01, Tijl Coosemans wrote: > > It's better to mark paragraphs with

instead of

and > lists can be created with
    and
  • instead of ascii art like this: > Thanks for the suggestion. I noticed the formatting was terrible and thought "I should add some
    , I wonder if anyone else has used that?" and did a search in vuxml for it. I found results and was satisfied with my decision at the time. It looked OK, so I went with it, but by then I had forgotten that I manually added the * to create the fake ascii-art list :-) I realize now that I should have just looked at the page source and copied exactly what they had to keep the formatting identical:

    We just published updates to both stable versions 1.0 and 1.1 after fixing many minor bugs and adding some security improvements to the 1.1 release branch. Version 1.0.6 comes with cherry-picked fixes from the more recent version to ensure proper long term support especially in regards of security and compatibility.

    The security-related fixes in particular are:

    • XSS vulnerability in _mbox argument
    • security improvement in contact photo handling
    • potential info disclosure from temp directory
    Hindsight is 20/20 I guess? I've also been talking to wblock about training igor to work nicely with vuxml. It reports a ridiculous amount of violations if you run it against the whole file, but it would be nice to have it identify the newest entry or the VID you supply and give you additional formatting feedback on your entry. Additionally, per my suggestion hrs has a patch to improve the vuxml port which lets you do a "make VID=xxx-xxx-xxx-xxx html" and have it spit out the full vuxml html page so you can view your entry in a browser and ensure you're happy with the layout before committing. I hope this will be beneficial to all contributors.