https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19838
--- Comment #23 from David Cook <[email protected]> --- (In reply to Lucas Gass (lukeg) from comment #22) > (In reply to Owen Leonard from comment #21) > > (In reply to David Cook from comment #20) > > > Like bug 39860 and bug 40659, this should be using a scrubber profile to > > > protect against XSS vulnerabilities. > > > > Sounds like we need a new coding guideline. David could you write up > > something to add to the next dev meeting? A follow-up patch here would be a > > great way to provide an example ;) > > Yes, we do need a new coding guideline. 100% need a new coding guideline. People talk about adding things to dev meetings but I have no idea how that's done. Is there a person to send it to, somewhere to put it, or something else? I can't make it to dev meetings which makes it extra hard I think. > Do we need to come up with a general profile that can be used for all HTML > customization? I don't think that's 100% possible, as different contexts can require different restrictions. The one I bump into the most locally is content that gets added into DataTables. If you allow tables into the HTML that's added into DataTables, things can bust. But then there's other places like OpacMainUserBlock where maybe you do want to allow tables. But it's not always clear what's going to end up in a DataTable as sometimes it might just be shown on a regular page. I don't have a good answer for that yet... -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
