On Tuesday, December 30, 2014 12:00:01 PM UTC-8, Niphlod wrote: > > > > On Tuesday, December 30, 2014 8:35:23 PM UTC+1, Dave S wrote: >> >> >> >> On Tuesday, December 30, 2014 7:32:15 AM UTC-8, Niphlod wrote: >>> >>> I don't get what you're asking for. If you choose to create *your* own >>> policy and part of *your* application uses something that *your* own >>> policy discards, there's nothing *web2py* can do. >>> >>> >> If it were me, I'd be asking for suggestions that either >> >> a) modify the policy in a way that maintains security but allows the >> calendar.js to work >> (this would likely be a suggestion from someone with experience with >> security policies) >> > > the policy is a single-line header with no possibility to set "per-file" > policies, i.e. allow eval for just calendar.js >
Is there a lesser setting that allows eval without allowing too much of other "threats"? Could changing to that setting be justified to management (aside from the IE defense: "The normal user has a working visit if we do it that way"). > > >> b) suggest a way to remove the dependency on 'eval' >> (this would likely be a suggestion from someone with experience swapping >> js files under web2py) >> >> > The scaffolding app "adoptes" a calendar widget that is not forced upon > anybody (web2py is a python framework to make apps, and the scaffolding app > is not a solution for every problem). If "eval" in calendar.js is such a > threat that the app (or the coder) can't take, he should evaluate another > widget. > So the OP should be able to strip out calendar.js, and substitute another? Does someone in the community have pointers to a good choice, especially one that can be slid in easily? Are there already examples at web2pyslices.com? (My quick scan only came across an unanswered question at <URL:http://www.web2pyslices.com/slice/show/1525/how-to-get-the-drop-down-date-selector-by-default>) /dps -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
