https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39860 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs Signoff |Failed QA --- Comment #32 from David Cook <dcook@prosentient.com.au> --- Sorry but I'm going to fail this one again. I think 3/4 of my original issues from Comment 10 have been resolved, which is awesome. But I notice we're still using the "staff" profile for the HTML scrubber, and that's not going to prevent XSS, because it allows everything. In fact... I don't know why that profile was ever created. It looks like it goes back to the original creating of C4::Scrubber at f8fecb78634 Looking at existing use of the C4::Scrubber... we're using the profiles "note", "comment", and "default". I think we should actually remove the "staff" profile. I'll add a new bug for that... -- You are receiving this mail because: You are watching all bug changes.