[Koha-bugs] [Bug 19121] New: Prevent XSS in the Staff Client and the OPAC - bis

Tue Aug 15 21:20:35 CEST 2017

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19121

            Bug ID: 19121
           Summary: Prevent XSS in the Staff Client and the OPAC - bis
 Change sponsored?: ---
           Product: Koha
           Version: master
          Hardware: All
                OS: All
            Status: ASSIGNED
          Severity: normal
          Priority: P5 - low
         Component: Architecture, internals, and plumbing
          Assignee: jonathan.druart at bugs.koha-community.org
          Reporter: jonathan.druart at bugs.koha-community.org
        QA Contact: testopia at bugs.koha-community.org

On bug 13618 we tried to escape variables at template level: all variables were
escaped using Template::Stash::AutoEscaping::Escaped::HTML::escape
It works well, but unfortunately it leads to performance issues (see bug
15715). Indeed in some scripts, 70k variables are displayed

Another approach would be to escape variables when they are sent to the
scripts. We will get only 1 call per variable passed to the script and we will
not escape unnecessarily variables several times, or variables coming from the
DB (maybe we will need a script to clean the data?)

-- 
You are receiving this mail because:
You are watching all bug changes.