[Koha-bugs] [Bug 19121] Prevent XSS in the Staff Client and the OPAC - bis
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Wed Aug 16 15:31:29 CEST 2017
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19121
--- Comment #4 from Jonathan Druart <jonathan.druart at bugs.koha-community.org> ---
(In reply to Katrin Fischer from comment #2)
> Ok, not totally sure if I understand this approach right, but I talked some
> to Robin this morning while I was working on the XSS patches and from what
> I understand changing the data on the way is probably not the answer. We
> might want to use the data in different contexts where different encoding
> might be needed. Data needs to be encoded differently for use in HTML,
> attributes, JavaScript or in an URL. I am also thinking of our HTML
> preferences, CSV and file output, MARC data etc.
That is why there is a Koha::CGI->param_raw method
> Robin suggested HTML::Escape as a fast module for escaping. If we wrap that
> into a plugin/make our own filter, we could maybe solve the performance
> issues:
>
> http://search.cpan.org/~tokuhirom/HTML-Escape-1.09/lib/HTML/Escape.pm
Nope, IIRC it is not faster than
Template::Stash::AutoEscaping::Escaped::HTML::espape (see the patch).
I tried to improve the escapement on bug 13618. The speed was not the problem,
the number of variables was.
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list