CVEProject / cve-website

The new CVE website
69 stars 36 forks source link

Make descriptions with line breaks human readable. #2557

Open chandanbn opened 8 months ago

chandanbn commented 8 months ago

CNAs add line breaks in descriptions to make it readable, the current website CSS rendering does not preserve line-breaks and makes it harder to read.

Fix would adding a CSS like this to description's style: (#cve-desciption)

white-space: break-spaces;

Example: https://test.cve.org/CVERecord?id=CVE-2024-0052

Current:

Screenshot 2024-02-20 at 11 04 21 AM

Improved readability:

Screenshot 2024-02-20 at 11 03 59 AM

See also #1574

ElectricNroff commented 8 months ago

I think this may interfere with the ability to adapt to the screen size on some platforms.

For example, after making this white-space: break-spaces change, with Chrome 122,0.6261.90 on a small Android tablet, I see the following sequence of lines for part of the CVE-2024-0727 content:

A file in PKCS12 format can contain certificates and keys
and may come from an
untrusted source. The PKCS12 specification allows certain
fields to be NULL, but
OpenSSL does not correctly check for this case. This can
lead to a NULL pointer

whereas, on a desktop platform, the number of words on a line is always reasonably consistent, but is a much smaller number of words than would be rendered by default, e.g.,

A file in PKCS12 format can contain certificates and keys and may come from an
untrusted source. The PKCS12 specification allows certain fields to be NULL, but
OpenSSL does not correctly check for this case. This can lead to a NULL pointer

instead of the default behavior, which uses a substantially larger fraction of the screen width.

This occurs because, as in thousands of other CVE Records, the CNA's JSON content has explicit line breaks that might maintain (or even improve) readability on (perhaps only) desktop platforms:

A file in PKCS12 format can contain certificates and keys and may come from an\n
untrusted source. The PKCS12 specification allows certain fields to be NULL, but\n
OpenSSL does not correctly check for this case. This can lead to a NULL pointer\n

It really depends on one's opinion of the purpose of the CVE website. One possible opinion is that CNAs are entitled to make assumptions about how the cve.org website works, optimize cve.org for usability on some platforms over others, and exercise customization of some aspects of cve.org page layout (such as line breaks). An alternate position is to accept that cross-platform page layout choices are made by the cve.org website designers to meet user experience expectations on each platform, and that any attempts by a data provider to control cve.org page layout (e.g., with explicit line breaks) will always be ignored. In this position, if a data provider wants to offer a custom page layout to some consumers, then a field such as /containers/cna/descriptions/0/supportingMedia/0/value should be used, because there is no intention of accommodating page layout suggestions within /containers/cna/descriptions/0/value.

chandanbn commented 8 months ago

I feel it would be still be more readable on mobile screens compared to the existing wall of text.