https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39860
--- Comment #39 from Lucas Gass (lukeg) <lu...@bywatersolutions.com> --- (In reply to David Cook from comment #32) > Sorry but I'm going to fail this one again. > > I think 3/4 of my original issues from Comment 10 have been resolved, which > is awesome. > > But I notice we're still using the "staff" profile for the HTML scrubber, > and that's not going to prevent XSS, because it allows everything. > > In fact... I don't know why that profile was ever created. It looks like it > goes back to the original creating of C4::Scrubber at f8fecb78634 > > Looking at existing use of the C4::Scrubber... we're using the profiles > "note", "comment", and "default". I think we should actually remove the > "staff" profile. I'll add a new bug for that... I'm just curious why we scrub nothing in HTML customization, News, or Pages ( the other additional contents ) but need to scrub here? -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
