[Xerte-dev] Re: Upload JS

[Smith, John]

Yes.

But in some cases it may be a necessary evil. As long as the users are trusted then there probably isn't an issue but some institutions probably will freak out at the idea.

Hosting elsewhere is most likely fine because of cross domain restrictions so no less secure than including an external  library. Hosting xot solo on a sub domain is probably similarly okish for same reason but a rogue user could possibly do stuff.

A moodle integration would probably be worse case scenario. You could run commands as another logged in user using ajax as if they had clicked on a link.

Regards

John Smith
Learning Technologist
School of Health and Life Sciences

Sent from Samsung Galaxy SII



Julian Tenney <Julian.Tenney at nottingham.ac.uk> wrote:


Thinking aloud here, you can write javascript in the bootstrap template – so it would probably be handy if you could upload a .js file, because anything more than trivial is going to be a right pita to write in the wizard. .js is currently blacklisted. Given all the other security updates recently, do you think we are opening up a major hole if we allowed .js? Either by uploading a script file, or by pointing to a url somewhere?





Glasgow Caledonian University is a registered Scottish charity, number SC021474

Winner: Times Higher Education’s Widening Participation Initiative of the Year 2009 and Herald Society’s Education Initiative of the Year 2009.
http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html

Winner: Times Higher Education’s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners.
http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html