https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19121 Bug ID: 19121 Summary: Prevent XSS in the Staff Client and the OPAC - bis Change sponsored?: --- Product: Koha Version: master Hardware: All OS: All Status: ASSIGNED Severity: normal Priority: P5 - low Component: Architecture, internals, and plumbing Assignee: jonathan.druart@bugs.koha-community.org Reporter: jonathan.druart@bugs.koha-community.org QA Contact: testopia@bugs.koha-community.org On bug 13618 we tried to escape variables at template level: all variables were escaped using Template::Stash::AutoEscaping::Escaped::HTML::escape It works well, but unfortunately it leads to performance issues (see bug 15715). Indeed in some scripts, 70k variables are displayed Another approach would be to escape variables when they are sent to the scripts. We will get only 1 call per variable passed to the script and we will not escape unnecessarily variables several times, or variables coming from the DB (maybe we will need a script to clean the data?) -- You are receiving this mail because: You are watching all bug changes.