https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39860 --- Comment #11 from David Cook <dcook@prosentient.com.au> --- (In reply to Lucas Gass (lukeg) from comment #6)
-I tried using HTML scrubber to scrub script tags but it scrubs too much. I want to be able to use most HTML tags, maybe just not JS?
In practice, this is actually pretty challenging to do. The obvious one is to restrict <script> tags, but there's lots of other ways of injecting Javascript via other tags and attributes. (I should compile a list one of these days, as it's difficult to keep track of them all, but that's also part of the problem with a list... maintenance of the list.) Anyway, not going to give away all my security secrets here, but just... yeah it's challenging balancing security and convenience/flexibility. -- You are receiving this mail because: You are watching all bug changes.