Filter quicksearch input for XSS in all cases; make general filtering…

… pref default to active in app.conf; had been disabled for performance reasons and due to user complaints; now leave it up to user to opt-put.
collectiveaccess · Sep 24, 2021 · 35fb6c3 · 35fb6c3
1 parent 8034eb1
commit 35fb6c3
Showing 1 changed file with 9 additions and 0 deletions.
diff --git a/app/conf/app.conf b/app/conf/app.conf
@@ -2099,6 +2099,15 @@ service_controllers_directory = <ca_app_dir>/service/controllers
 service_default_action = /search/rest/doSearch
 service_view_path = <ca_app_dir>/service/views
 
+# -----------------------------------
+# Filtering of text input
+#
+# Set to filter all entered data through HTMLPurifier
+# removing any potentially dangerous markup. This is generally 
+# a good thing, but significantly impacts performance. You may
+# wish to disable it if all user input is trusted.
+# -----------------------------------
+purify_all_text_input = 1
 
 # -----------------------------------
 # Paths to other config files