[OPEN-ILS-DEV] Javascript in receipt templates?

[Jason Boyer]

Thanks for the pointer, I'll see if I can read up on this soon and get
things transitioned.

Jason

--
Jason Boyer, IT Specialist
Jackson County Public Library
303 W Second St
Seymour, IN 47274

jasonb at myjclibrary.org


On Mon, Dec 12, 2011 at 2:35 PM, Dan Scott <dan at coffeecode.net> wrote:

> On Mon, Dec 12, 2011 at 02:23:16PM -0500, Jason Boyer wrote:
> > Until this morning after coming up on 2.1, we used to use extensive
> > Javascript code in our receipts to do a great deal of things, all of
> which
> > are now broken. Peeking inside staff_client/chrome/content/util/print.js
> > sheds some light on the problem, namely that all JS is specifically being
> > stripped out of templates. I've never seen any discussion about this,
> and I
> > can't imagine it's a security issue (you're not changing a receipt
> template
> > without direct access to the machine anyway). Can anyone try to share
> what
> > the thought process was on this, and if it's amenable to change?
>
> It actually was a security issue - direct access to the machine doesn't
> necessarily mean that you have the permissions to install keyloggers,
> etc, while having the ability to write unrestricted JavaScript does give
> you many possible attack vectors against other staff who may use the
> staff client on the same workstation.
>
> We should have flagged this change in the 2.1.0 release notes, but for
> now the best write-up of the recommended way of providing access to
> custom JavaScript functionality in a secure way via print_custom.js or
> an org-unit-setting-specified file is probably
>
> http://git.evergreen-ils.org/?p=Evergreen.git;a=commit;h=865c23330a9e891024e2df3696dfe5a827ed545c
>
> Dan
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://libmail.georgialibraries.org/pipermail/open-ils-dev/attachments/20111212/ff25c730/attachment.htm>