https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40659
--- Comment #12 from Lucas Gass (lukeg) <[email protected]> --- (In reply to David Cook from comment #11) > (In reply to Andrew Fuerste-Henry from comment #10) > > (In reply to David Cook from comment #8) > > > However, for new code, I think that we want to do better - in any case. > > > > Can you provide some further detail on what "do better" would mean to you in > > this situation? What is it about the approach on 39860 that meets your needs > > better than the work here? > > Yeah for sure. I can DM you with more in-depth info, but here I'll say that > bug 39860 uses the HTML::Scrubber to allow a safe range of HTML to be added. > > I'd add it's not about my needs, but rather the security of Koha as a whole. > I'm just quite active in the security space. At some point, I hope to either > add some additional coding guidelines or a separate "Safe Coding Guidelines" > to complement the existing coding guidelines, which should then make things > clearer. Thanks for the question! Is there any reason those details cannot be shared here fro transparency? If scrubbing the HTML is the only issue then I think this should be left in Notices/Slips where it can be scrubbed. The reason is simple, notices/slips already has a pattern for using placeholder/substitutions which will be need in this bug. I advocate to leave this in notice/slips for that reason. -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
