Comment 4 for bug 1869971
Revision history for this message
| Galen Charlton (gmc) wrote Re: Custom CSS considered harmful | #4 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
1b1ed1a
(Get the code!)
As Jason mentioned, equivalent functionality has existed in Koha for years; I am not aware of particular security issues in practice, although this bug report is quite correct that the potential exists for a naive or malicious local admin to put in undesirable script tags.
It is my opinion that a reversion is overkill and that Evergreen admins can manage the risk via proper training of their local admins and taking care about to whom they assign UPDATE_
I have no objection to adding a config.tt2 flag and adjusting the wording of the library setting to warn against dangerous values . This can definitely be accomplished before general release (and I am willing to commit to doing the work); I am also willing to see if HTML::Defang or similar approaches can be readily applied to sanitize the values. For that matter, tossing Template Toolkit replace() filters in base.tt2 to zap < and > should help ameliorate the issue.
However, allowing local admins more direct and responsive control for tweaking their catalogs is a valuable feature that I would hate to see get lost.