[Koha-bugs] [Bug 19121] Prevent XSS in the Staff Client and the OPAC - bis
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Wed Aug 16 15:02:05 CEST 2017
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19121
--- Comment #2 from Katrin Fischer <katrin.fischer at bsz-bw.de> ---
Ok, not totally sure if I understand this approach right, but I talked some to
Robin this morning while I was working on the XSS patches and from what I
understand changing the data on the way is probably not the answer. We might
want to use the data in different contexts where different encoding might be
needed. Data needs to be encoded differently for use in HTML, attributes,
JavaScript or in an URL. I am also thinking of our HTML preferences, CSV and
file output, MARC data etc.
Robin suggested HTML::Escape as a fast module for escaping. If we wrap that
into a plugin/make our own filter, we could maybe solve the performance issues:
http://search.cpan.org/~tokuhirom/HTML-Escape-1.09/lib/HTML/Escape.pm
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list