https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19121

--- Comment #4 from Jonathan Druart <jonathan.dru...@bugs.koha-community.org> 
---
(In reply to Katrin Fischer from comment #2)
> Ok, not totally sure if I understand this approach right, but I talked some
> to  Robin this morning while I was working on the XSS patches and from what
> I understand changing the data on the way is probably not the answer. We
> might want to use the data in different contexts where different encoding
> might be needed. Data needs to be encoded differently for use in HTML,
> attributes, JavaScript or in an URL. I am also thinking of our HTML
> preferences, CSV and file output, MARC data etc.

That is why there is a Koha::CGI->param_raw method

> Robin suggested HTML::Escape as a fast module for escaping. If we wrap that
> into a plugin/make our own filter, we could maybe solve the performance
> issues:
> 
> http://search.cpan.org/~tokuhirom/HTML-Escape-1.09/lib/HTML/Escape.pm

Nope, IIRC it is not faster than
Template::Stash::AutoEscaping::Escaped::HTML::espape (see the patch).
I tried to improve the escapement on bug 13618. The speed was not the problem,
the number of variables was.

-- 
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

Reply via email to