I used your regex unmodified and checked post numbers against *max-posts* as you suggested
While I cannot yet pull the new code since it has not yet made its way into the gitlab repo, I would like to reiterate that, as I tried to convey in the irregex posts, bbs.scm:posts-range needs its own strict parsing validation regardless of the changes to lib/markup.scm:quotelink. This is because quotelink only protects against user content that goes through the post form, while the range argument of posts-range comes from the match path in route, where path is just a split of the request uri without the qstring. Therefore, the range can be directly crafted with wget, curl and the like completely bypassing quotelink, at which point >>30 applies:
$ wget --user-agent="Mozilla/5.0 Firefox/66.0" --server-response -O test.html 'https://textboard.org/prog/39/30---,,,---,,,---30'I actually had a longer series of stress tests planned for quotelink+posts-range rather than just those two, where a series of incremental changes would be suggested after each was justified by a test, instead of dumping a batch of suggested changes as an amorphous blob pulled out of my pineal gland. That regex was merely a first candidate. But after causing downtime I changed my mind and won't perform them on the live site when I expect the result to be a small error. Instead I think I'll take some time out and see whether there is some sufficiently hassle-free way to perform tests in a local MIT Scheme REPL without having to go full nginx, which I'd rather avoid.
vi vi vi the editor of the beast
Since your views align with rms on this point, one wonders why you chose the MIT license over (A)GPL for SchemeBBS.