https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40659 --- Comment #12 from Lucas Gass (lukeg) <lucas@bywatersolutions.com> --- (In reply to David Cook from comment #11)
(In reply to Andrew Fuerste-Henry from comment #10)
(In reply to David Cook from comment #8)
However, for new code, I think that we want to do better - in any case.
Can you provide some further detail on what "do better" would mean to you in this situation? What is it about the approach on 39860 that meets your needs better than the work here?
Yeah for sure. I can DM you with more in-depth info, but here I'll say that bug 39860 uses the HTML::Scrubber to allow a safe range of HTML to be added.
I'd add it's not about my needs, but rather the security of Koha as a whole. I'm just quite active in the security space. At some point, I hope to either add some additional coding guidelines or a separate "Safe Coding Guidelines" to complement the existing coding guidelines, which should then make things clearer. Thanks for the question!
Is there any reason those details cannot be shared here fro transparency? If scrubbing the HTML is the only issue then I think this should be left in Notices/Slips where it can be scrubbed. The reason is simple, notices/slips already has a pattern for using placeholder/substitutions which will be need in this bug. I advocate to leave this in notice/slips for that reason. -- You are receiving this mail because: You are watching all bug changes.