https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19121 --- Comment #4 from Jonathan Druart <jonathan.druart@bugs.koha-community.org> --- (In reply to Katrin Fischer from comment #2)
Ok, not totally sure if I understand this approach right, but I talked some to Robin this morning while I was working on the XSS patches and from what I understand changing the data on the way is probably not the answer. We might want to use the data in different contexts where different encoding might be needed. Data needs to be encoded differently for use in HTML, attributes, JavaScript or in an URL. I am also thinking of our HTML preferences, CSV and file output, MARC data etc.
That is why there is a Koha::CGI->param_raw method
Robin suggested HTML::Escape as a fast module for escaping. If we wrap that into a plugin/make our own filter, we could maybe solve the performance issues:
http://search.cpan.org/~tokuhirom/HTML-Escape-1.09/lib/HTML/Escape.pm
Nope, IIRC it is not faster than Template::Stash::AutoEscaping::Escaped::HTML::espape (see the patch). I tried to improve the escapement on bug 13618. The speed was not the problem, the number of variables was. -- You are receiving this mail because: You are watching all bug changes.