https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36805
--- Comment #6 from David Cook <[email protected]> --- (In reply to Katrin Fischer from comment #4) > Apart from "our problem" I think we need to think carefully how to > communicate a possibly breaking change like this in a good way. At some stage, I'd love to just do 1 big breaking change where we say "all Javascript must be done via this one mechanism" and "all HTML inputs will now be scrubbed and limited to X, Y, Z elements/attributes". It'll be unpleasant as an upgrade, but from a security perspective it would be wise. Koha often errs on the side of convenience over security, and one day it may well come back to bite all of us. -- I figure breaking changes are OK for libraries with support, because they can get it fixed rapidly. They're harder for libraries without support, but... that's one of the reasons you have support, so that there is someone there to support you through changes. -- I think Owen's idea is a very good one. @Katrin, maybe for your use case we need to add a new HTML Customization that helps you out? -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
