[Koha-devel] Huge performance issue cause by bug 13618 (XSS)

[Jonathan Druart]

Hi devs,

I have a very bad news...
Working on bug 15715, I have found that the patchset introduced by bug
13618 (Prevent XSS in the Staff Client and the OPAC) causes a very
important performance issue.

Indeed, for each variable displayed in the template, a
Template::Stash::AutoEscaping->get method is called.

To try and understand the problem, I have put the following snippet in
the mainpage.pl script:
+my @loop;
+for my $i ( 0 .. 10000 ) {
+    push @loop, {
+        foo => 'my foo',
+        bar => 'my bar',
+    };
+}
+$template->param( loop => \@loop );

and then, in the template
+[% FOR l IN loop %]
+    [% l.foo %] [% l.bar %]
+    <br/>
+[% END %]

It will display 10k foo and 10k bar
There are indeed 20k (+ delta) calls to the
Template::Stash::AutoEscaping method, as expected.
But the load of the page increases from 2sec to 10sec (no plack,
measured with Firebug > network tab)

On catalogue/search.pl, 1800 calls, from 6sec to 6.5s

On authorities/authorities.pl?breedingid=186&authtypecode=CORPO_NAME&authid=0
(From bug 15715), 64k calls (!!!) from ~10sec to ~4min

On cataloguing/addbiblio.pl?biblionumber=1, 13k calls, from 3sec to 9sec

Do not take these measures too strictly, but they give an idea of the issue...

So I don't see a lot of methods to fix that:
1/ Revert and abandon 13618
2/ Understand how it's possible to have 60k calls to display a form
and try to improve these areas
3/ Profile Template::Stash::AutoEscaping to know if we cannot optimise
what it does
4/ Any brilliant ideas?

Jonathan

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=15715
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13618