https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39860
--- Comment #34 from David Cook <dc...@prosentient.com.au> --- (In reply to David Cook from comment #32) > But I notice we're still using the "staff" profile for the HTML scrubber, > and that's not going to prevent XSS, because it allows everything. > > In fact... I don't know why that profile was ever created. It looks like it > goes back to the original creating of C4::Scrubber at f8fecb78634 > > Looking at existing use of the C4::Scrubber... we're using the profiles > "note", "comment", and "default". I think we should actually remove the > "staff" profile. I'll add a new bug for that... I've opened bug 40087 to remove the "staff" profile. I think this bug report should add its own profile to C4::Scrubber. I know it's hard to think up a list of allowed elements. I do think we need better ways of allowing for per-instance configuration of C4::Scrubber profiles (while retaining sensible secure defaults), but for now... especially since this is a new feature... I think we start with a small list and build up. I can't find it anymore, but once upon a time I swear I wrote a patch to make C4::Scrubber per-instance configurable, and I had a comprehensive list of safe elements. I'm sorry I can't find it now. I'd also encourage you to look at bug 38498. I don't have a patch there, but it's important to keep in mind. That is, we need to block many attributes (for instance, anything that starts with "on"), but it would be nice to be able to use some attributes like "id" and "class" at the very least, so we can use CSS. Happy to work with you on this one... -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
