https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39860
--- Comment #11 from David Cook <[email protected]> --- (In reply to Lucas Gass (lukeg) from comment #6) > -I tried using HTML scrubber to scrub script tags but it scrubs too much. I > want to be able to use most HTML tags, maybe just not JS? In practice, this is actually pretty challenging to do. The obvious one is to restrict <script> tags, but there's lots of other ways of injecting Javascript via other tags and attributes. (I should compile a list one of these days, as it's difficult to keep track of them all, but that's also part of the problem with a list... maintenance of the list.) Anyway, not going to give away all my security secrets here, but just... yeah it's challenging balancing security and convenience/flexibility. -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
