[Koha-bugs] [Bug 23978] Notes field in saved reports should allow for HTML
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Tue Feb 6 23:35:35 CET 2024
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=23978
--- Comment #7 from David Cook <dcook at prosentient.com.au> ---
(In reply to Martin Renvoize from comment #6)
> Is there a more secure way of doing this rather than just exposing the raw
> html.. I feel like we're just undoing a security flaw we fixed for a reason.
Yeah I don't think we can just expose the raw HTML. One option would be to use
the HTML scrubber. I think there are quite a few parts of Koha where people
want to use HTML, but could be limited to a fairly small subset of elements and
attributes.
> Is it time to use markdown for rich text or perhaps for linebreaks just
> outputting the note field in a pre/code block?
For line breaks, the "html_line_break" filter can be useful.
For notes, adding that line break filter would make sense. I don't know that
any other HTML features would really needed though. If they were to be added, I
think we'd have to scrub them first.
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list