[Koha-bugs] [Bug 25279] Make the cities list use the API
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Tue May 5 21:38:31 CEST 2020
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=25279
--- Comment #21 from Jonathan Druart <jonathan.druart at bugs.koha-community.org> ---
(In reply to Tomás Cohen Arazi from comment #20)
> (In reply to Jonathan Druart from comment #19)
> > > > 4. We reached a point where we don't have XSS issue in our templates, all
> > > > variables are correctly escaped.
> > > > With this adding more JS code we should continue to enforce the rule, all
> > > > the variables must be correctly escaped.
> > >
> > > You mean data that comes from the API????
> >
> > I did not investigate it, I don't know where it's best to escape them.
>
> We will take a look, ideally we would do something DT-side, so this doesn't
> get borked with calls to URI/HTML encoding methods all over the place.
Keep in mind that "sometimes" we want to display raw data, but I don't think it
should be a problem: we could unescape in that case.
"Escape them all at the source" is maybe the way to go here but you will
certainly need to loop over all the values of the objects, even when we will
display only few of them (perf consequences?)
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list