https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39860
David Cook <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |[email protected] Status|Needs Signoff |Failed QA --- Comment #10 from David Cook <[email protected]> --- I've got a few comments: 1. It looks like you figured out the profile/settings argument for C4::Scrubber in the end, but I'd argue that "staff" is too permissive. One could argue since it's a system preference an admin user could already inject malicious JS via *UserJS, but I suppose the danger here is the XSS coming from the MARC record without the admin user's knowledge. I think we'd need a more specific profile/setting for scrubbing this content. I had a bug report somewhere that allowed for scrubber settings that could be deployed locally for maximum flexibility, but I can't find it right now... Failing QA for this one. 2. Why would we need to run this through the XSLTs? Wouldn't it be more efficient add it to the return data of C4::XSLT::XSLTParse4Display()? (That is, right now we return the return value of $engine->transform(), but we could store that, append to it, and then return that concatenated value. You might have a good reason for not doing that, but I don't see what it is at a glance on my own.) 3. Technically, we don't use XHTML anymore - we use HTML5 which isn't fully XML-compatible, so in theory someone could enter valid HTML which might cause XSLT errors. I'd be curious how it handles HTML5's "<br>" instead of XHTML's "<br/>" for instance. I wonder if it would croak on there not being a closing tag. 4. You shouldn't use Koha::TemplateUtils::process_tt() here. I'll DM you with the reason why. Also Failed QA for this one. -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
