[Koha-devel] Huge performance issue cause by bug 13618 (XSS)
Chris Cormack
chrisc at catalyst.net.nz
Thu Feb 11 05:21:23 CET 2016
* Mark Tompsett (mtompset at hotmail.com) wrote:
> Greetings,
>
> Jonathan Druart wrote:
> >Indeed, for each variable displayed in the template, a
> >Template::Stash::AutoEscaping->get method is called.
> ...
> >and then, in the template
> >+[% FOR l IN loop %]
> >+ [% l.foo %] [% l.bar %]
> >+ <br/>
> >+[% END %]
> >
> >It will display 10k foo and 10k bar
> >There are indeed 20k (+ delta) calls to the
> >Template::Stash::AutoEscaping method, as expected.
> >But the load of the page increases from 2sec to 10sec (no plack,
> >measured with Firebug > network tab)
>
> It isn't brilliant, if it does work, because that's a lot of editing, but I
> was noticing people starting to use ".raw". Does a .raw have a large impact?
> +[% FOR l IN loop %]
> + [% l.foo.raw %] [% l.bar.raw %]
> + <br/>
> +[% END %]
>
> If it increased from 2s to 3s with .raw, that wouldn’t be so bad. I'm just
> brainstorming.
>
Hi Mark
.raw skips doing the escaping, opening us up for XSS attacks again. So not really a solution
I'm afraid.
Chris
--
Chris Cormack
Catalyst IT Ltd.
+64 4 803 2238
PO Box 11-053, Manners St, Wellington 6142, New Zealand
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.koha-community.org/pipermail/koha-devel/attachments/20160211/77badb11/attachment.pgp>
More information about the Koha-devel
mailing list