[Koha-bugs] [Bug 25279] Make the cities list use the API
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Tue May 5 21:50:00 CEST 2020
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=25279
--- Comment #22 from Tomás Cohen Arazi <tomascohen at gmail.com> ---
(In reply to Jonathan Druart from comment #21)
> (In reply to Tomás Cohen Arazi from comment #20)
> > (In reply to Jonathan Druart from comment #19)
> > > > > 4. We reached a point where we don't have XSS issue in our templates, all
> > > > > variables are correctly escaped.
> > > > > With this adding more JS code we should continue to enforce the rule, all
> > > > > the variables must be correctly escaped.
> > > >
> > > > You mean data that comes from the API????
> > >
> > > I did not investigate it, I don't know where it's best to escape them.
> >
> > We will take a look, ideally we would do something DT-side, so this doesn't
> > get borked with calls to URI/HTML encoding methods all over the place.
>
> Keep in mind that "sometimes" we want to display raw data, but I don't think
> it should be a problem: we could unescape in that case.
>
> "Escape them all at the source" is maybe the way to go here but you will
> certainly need to loop over all the values of the objects, even when we will
> display only few of them (perf consequences?)
Yeah, we certainly need:
- html escaped representations
- URI escaped representations
so we at least need a seamless way to request those without obfuscating the
syntax. Maybe add data.url and data.html methods... We'll see.
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list