https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=25279 --- Comment #22 from Tomás Cohen Arazi <tomascohen@gmail.com> --- (In reply to Jonathan Druart from comment #21)
(In reply to Tomás Cohen Arazi from comment #20)
(In reply to Jonathan Druart from comment #19)
4. We reached a point where we don't have XSS issue in our templates, all variables are correctly escaped. With this adding more JS code we should continue to enforce the rule, all the variables must be correctly escaped.
You mean data that comes from the API????
I did not investigate it, I don't know where it's best to escape them.
We will take a look, ideally we would do something DT-side, so this doesn't get borked with calls to URI/HTML encoding methods all over the place.
Keep in mind that "sometimes" we want to display raw data, but I don't think it should be a problem: we could unescape in that case.
"Escape them all at the source" is maybe the way to go here but you will certainly need to loop over all the values of the objects, even when we will display only few of them (perf consequences?)
Yeah, we certainly need: - html escaped representations - URI escaped representations so we at least need a seamless way to request those without obfuscating the syntax. Maybe add data.url and data.html methods... We'll see. -- You are receiving this mail because: You are watching all bug changes.