https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19121
--- Comment #6 from Robin Sheat <[email protected]> --- You can't process the data on the way in. You will end up with corrupt data: * in the database * output via APIs * in the web display whenever you're doing anything that isn't straight HTML (JSON, javascript, URLs, attributes, ...) HTML::Escape is XS, so likely to be faster than a pure-perl implementation. If it's the amount of iterations that is the problem, then you'll probably need to remove the filtering from those parts, assuming they're safe, and perhaps filter them on the way to the template engine if that's faster. But these should be special cases in general. > It is not only script elements, we need to escape all HTML characters. That isn't true though. You need to escape only in HTML, and you mustn't escape for things that aren't HTML. For reference, the way we did this recently is loosely: * A script added a '| maybexss' filter to all template variables[0]. This filter does not do any HTML escaping (i.e. things shouldn't break.) * Filters were added: '|n' for things that should be HTML (i.e. no filter), '|attr' for HTML attribute values, ones for JS numbers, strings, bools. * The default for templates was set to escape any variables.[1] * Whenever anyone saw a '|maybexss', they removed it if it shouldn't be HTML, or replaced it with one of the above, or if possible refactored it to not output the backend-supplied content (e.g. if it's possible to make it an 'if' condition with fixed answers.) * Measuring the amount of maybexsses remaining was an indicator of how far through the cleanup was. [0] this was done with many one/several-file commits, so if something went really bad, it could be reverted for them. [1] I think that this was done with a flag at the top of the file, so that it could be done progressively. -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
