[Koha-bugs] [Bug 19121] Prevent XSS in the Staff Client and the OPAC - bis

bugzilla-daemon at bugs.koha-community.org bugzilla-daemon at bugs.koha-community.org
Wed Aug 16 16:10:57 CEST 2017 

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19121

--- Comment #6 from Robin Sheat <robin at kallisti.net.nz> ---
You can't process the data on the way in.

You will end up with corrupt data:

* in the database
* output via APIs
* in the web display whenever you're doing anything that isn't straight HTML
(JSON, javascript, URLs, attributes, ...)

HTML::Escape is XS, so likely to be faster than a pure-perl implementation. If
it's the amount of iterations that is the problem, then you'll probably need to
remove the filtering from those parts, assuming they're safe, and perhaps
filter them on the way to the template engine if that's faster. But these
should be special cases in general.

> It is not only script elements, we need to escape all HTML characters.
That isn't true though. You need to escape only in HTML, and you mustn't escape
for things that aren't HTML.

For reference, the way we did this recently is loosely:

* A script added a '| maybexss' filter to all template variables[0]. This
filter does not do any HTML escaping (i.e. things shouldn't break.)
* Filters were added: '|n' for things that should be HTML (i.e. no filter),
'|attr' for HTML attribute values, ones for JS numbers, strings, bools.
* The default for templates was set to escape any variables.[1]
* Whenever anyone saw a '|maybexss', they removed it if it shouldn't be HTML,
or replaced it with one of the above, or if possible refactored it to not
output the backend-supplied content (e.g. if it's possible to make it an 'if'
condition with fixed answers.)
* Measuring the amount of maybexsses remaining was an indicator of how far
through the cleanup was.

[0] this was done with many one/several-file commits, so if something went
really bad, it could be reverted for them.
[1] I think that this was done with a flag at the top of the file, so that it
could be done progressively.

-- 
You are receiving this mail because:
You are watching all bug changes.

More information about the Koha-bugs mailing list