Thanks for the pointer, I'll see if I can read up on this soon and get things transitioned.
Jason -- Jason Boyer, IT Specialist Jackson County Public Library 303 W Second St Seymour, IN 47274 [email protected] On Mon, Dec 12, 2011 at 2:35 PM, Dan Scott <[email protected]> wrote: > On Mon, Dec 12, 2011 at 02:23:16PM -0500, Jason Boyer wrote: > > Until this morning after coming up on 2.1, we used to use extensive > > Javascript code in our receipts to do a great deal of things, all of > which > > are now broken. Peeking inside staff_client/chrome/content/util/print.js > > sheds some light on the problem, namely that all JS is specifically being > > stripped out of templates. I've never seen any discussion about this, > and I > > can't imagine it's a security issue (you're not changing a receipt > template > > without direct access to the machine anyway). Can anyone try to share > what > > the thought process was on this, and if it's amenable to change? > > It actually was a security issue - direct access to the machine doesn't > necessarily mean that you have the permissions to install keyloggers, > etc, while having the ability to write unrestricted JavaScript does give > you many possible attack vectors against other staff who may use the > staff client on the same workstation. > > We should have flagged this change in the 2.1.0 release notes, but for > now the best write-up of the recommended way of providing access to > custom JavaScript functionality in a secure way via print_custom.js or > an org-unit-setting-specified file is probably > > http://git.evergreen-ils.org/?p=Evergreen.git;a=commit;h=865c23330a9e891024e2df3696dfe5a827ed545c > > Dan >
