[OPEN-ILS-DEV] Javascript in receipt templates?

Dan Scott dan at coffeecode.net
Mon Dec 12 14:35:41 EST 2011


On Mon, Dec 12, 2011 at 02:23:16PM -0500, Jason Boyer wrote:
> Until this morning after coming up on 2.1, we used to use extensive
> Javascript code in our receipts to do a great deal of things, all of which
> are now broken. Peeking inside staff_client/chrome/content/util/print.js
> sheds some light on the problem, namely that all JS is specifically being
> stripped out of templates. I've never seen any discussion about this, and I
> can't imagine it's a security issue (you're not changing a receipt template
> without direct access to the machine anyway). Can anyone try to share what
> the thought process was on this, and if it's amenable to change?

It actually was a security issue - direct access to the machine doesn't
necessarily mean that you have the permissions to install keyloggers,
etc, while having the ability to write unrestricted JavaScript does give
you many possible attack vectors against other staff who may use the
staff client on the same workstation.

We should have flagged this change in the 2.1.0 release notes, but for
now the best write-up of the recommended way of providing access to
custom JavaScript functionality in a secure way via print_custom.js or
an org-unit-setting-specified file is probably
http://git.evergreen-ils.org/?p=Evergreen.git;a=commit;h=865c23330a9e891024e2df3696dfe5a827ed545c

Dan


More information about the Open-ils-dev mailing list