[Koha-bugs] [Bug 23341] Hold Notes should allow for HTML tags
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Fri Aug 9 09:39:15 CEST 2019
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=23341
Katrin Fischer <katrin.fischer at bsz-bw.de> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |katrin.fischer at bsz-bw.de
--- Comment #6 from Katrin Fischer <katrin.fischer at bsz-bw.de> ---
(In reply to Nick Clemens from comment #5)
> This has one caveat - patrons can enter these notes, not just staff, so this
> would open possibility of XSS attack
>
> Talking internally we think we could filter the patron note on entry
>
> Alternatively, we can split the note into a public_note and private_note -
> filter the public and display it to patrons, but don't filter the
> private_note and keep it only for staff
Do we know more about the use case for this? If it's about handling line breaks
like in the example from Jessica we could handle this easily without allowing
line breaks.
Otherwise I really like the idea of splitting into internal and public notes as
this would allow for more flexible use. Right now if you use the note publicly,
you don't have any way to make internal notes and this could easily go wrong.
Should we reset status here to "In discussion"?
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list