https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19838
--- Comment #22 from Lucas Gass (lukeg) <[email protected]> --- (In reply to Owen Leonard from comment #21) > (In reply to David Cook from comment #20) > > Like bug 39860 and bug 40659, this should be using a scrubber profile to > > protect against XSS vulnerabilities. > > Sounds like we need a new coding guideline. David could you write up > something to add to the next dev meeting? A follow-up patch here would be a > great way to provide an example ;) Yes, we do need a new coding guideline. If we do so, we should also file a bug and make sure all older HTML customization's get scrubbed, IMO. In doing so we can perhaps standardize some of the scrubber profiles? We currently have 3. One for 'note' which allows the following HTML tags: br b i em big small strong u hr span div p ol ul li dl dt dd One for 'comment' which allows: br b i em big small strong And one for "record_display" for Bug 39860, it is the most permissive one, allowing classes, IDs, and much more HTML: div span h1 h2 h3 h4 h5 h6 p br ul ol li dl dt dd a img strong b em i u s strike del ins sup sub blockquote cite q abbr acronym dfn table thead tbody tfoot tr td th caption pre code kbd samp var hr address Do we need to come up with a general profile that can be used for all HTML customization? -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
