[Koha-bugs] [Bug 19121] New: Prevent XSS in the Staff Client and the OPAC - bis
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Tue Aug 15 21:20:35 CEST 2017
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19121
Bug ID: 19121
Summary: Prevent XSS in the Staff Client and the OPAC - bis
Change sponsored?: ---
Product: Koha
Version: master
Hardware: All
OS: All
Status: ASSIGNED
Severity: normal
Priority: P5 - low
Component: Architecture, internals, and plumbing
Assignee: jonathan.druart at bugs.koha-community.org
Reporter: jonathan.druart at bugs.koha-community.org
QA Contact: testopia at bugs.koha-community.org
On bug 13618 we tried to escape variables at template level: all variables were
escaped using Template::Stash::AutoEscaping::Escaped::HTML::escape
It works well, but unfortunately it leads to performance issues (see bug
15715). Indeed in some scripts, 70k variables are displayed
Another approach would be to escape variables when they are sent to the
scripts. We will get only 1 call per variable passed to the script and we will
not escape unnecessarily variables several times, or variables coming from the
DB (maybe we will need a script to clean the data?)
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list