<html><body style="font-family: 'Helvetica Neue',Helvetica,Arial,sans-serif; font-size: 12px;">The option makes sense, but I think it's a big risk<br /> <br />Pgogy Webstuff http://www.pgogywebstuff.com<div>Makers of Web things of a fair to middling quality</div><br /><blockquote><br />----- Original Message -----<br /><div style="width:100%;background:rgb(228,228,228);"><div style="font-weight:bold;">From:</div> "For Xerte technical developers" <xerte-dev@lists.nottingham.ac.uk></div><br /><div style="font-weight:bold;">To:</div>"For Xerte technical developers" <xerte-dev@lists.nottingham.ac.uk><br /><div style="font-weight:bold;">Cc:</div><br /><div style="font-weight:bold;">Sent:</div>Fri, 10 May 2013 09:57:15 +0100<br /><div style="font-weight:bold;">Subject:</div>[Xerte-dev] Re: Upload JS<br /><br /><br /><div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D;">We could just add as an optional setting in management to allow JS or anything else that would be insecure, off by default and allow the end user to choose… on a very closed system I agree it would be good.
</span></p><p></p><p></p>
<div>
<p class="MsoNormal"><span style="color:#1F497D;"></span></p><p> </p><p></p>
<p class="MsoNormal"><span style="color:#1F497D;">Regards,</span></p><p></p><p></p>
<p class="MsoNormal"><span style="color:#1F497D;"></span></p><p> </p><p></p>
<p class="MsoNormal"><span style="color:#1F497D;">John Smith</span></p><p></p><p></p>
<p class="MsoNormal"><span style="color:#1F497D;">Learning Technologist</span></p><p></p><p></p>
<p class="MsoNormal"><span style="color:#1F497D;">School of Health & Life Sciences</span></p><p></p><p></p>
<p class="MsoNormal"><span style="color:#1F497D;">Glasgow Caledonian University</span></p><p></p><p></p>
</div>
<p class="MsoNormal"><span style="color:#1F497D;"></span></p><p> </p><p></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1pt;padding:3pt 0in 0in 0in;">
<p class="MsoNormal"><b><span style="font-size:10pt;font-family:Tahoma, 'sans-serif';">From:</span></b><span style="font-size:10pt;font-family:Tahoma, 'sans-serif';"> xerte-dev-bounces@lists.nottingham.ac.uk [mailto:xerte-dev-bounces@lists.nottingham.ac.uk]
<b>On Behalf Of </b>Julian Tenney<br /><b>Sent:</b> Friday, May 10, 2013 9:49 AM<br /><b>To:</b> For Xerte technical developers<br /><b>Subject:</b> [Xerte-dev] Re: Upload JS</span></p><p></p><p></p>
</div>
</div>
<p class="MsoNormal"></p><p> </p><p></p>
<p class="MsoNormal"><span style="color:#1F497D;" lang="en-gb" xml:lang="en-gb">Fair enough then.</span></p><p></p><p></p>
<p class="MsoNormal"><span style="color:#1F497D;" lang="en-gb" xml:lang="en-gb"></span></p><p> </p><p></p>
<p class="MsoNormal"><span style="color:#1F497D;" lang="en-gb" xml:lang="en-gb">Shame.</span></p><p></p><p></p>
<p class="MsoNormal"><span style="color:#1F497D;" lang="en-gb" xml:lang="en-gb"></span></p><p> </p><p></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1pt;padding:3pt 0in 0in 0in;">
<p class="MsoNormal"><b><span style="font-size:10pt;font-family:Tahoma, 'sans-serif';">From:</span></b><span style="font-size:10pt;font-family:Tahoma, 'sans-serif';">
<a href="mailto:xerte-dev-bounces@lists.nottingham.ac.uk">xerte-dev-bounces@lists.nottingham.ac.uk</a> [<a href="mailto:xerte-dev-bounces@lists.nottingham.ac.uk">mailto:xerte-dev-bounces@lists.nottingham.ac.uk</a>]
<b>On Behalf Of </b>Pat @ Pgogy <br /><b>Sent:</b> 10 May 2013 09:00<br /><b>To:</b> For Xerte technical developers<br /><b>Subject:</b> [Xerte-dev] Re: Upload JS</span></p><p></p><p></p>
</div>
</div>
<p class="MsoNormal"><span lang="en-gb" xml:lang="en-gb"></span></p><p> </p><p></p>
<div>
<p class="MsoNormal"><span lang="en-gb" xml:lang="en-gb">Yes</span></p><p></p><p></p>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12pt;"><span lang="en-gb" xml:lang="en-gb"><br />
On 10 May 2013, at 07:59, Julian Tenney <<a href="mailto:Julian.Tenney@nottingham.ac.uk">Julian.Tenney@nottinghamac.uk</a>> wrote:</span></p><p></p><p></p>
</div>
<blockquote style="margin-top:5pt;margin-bottom:5pt;">
<div>
<p class="MsoNormal"><span lang="en-gb" xml:lang="en-gb">Thinking aloud here, you can write javascript in the bootstrap template – so it would probably be handy if you could upload a .js file, because anything more than trivial is going to be a right pita to write in the wizard.
.js is currently blacklisted. Given all the other security updates recently, do you think we are opening up a major hole if we allowed .js? Either by uploading a script file, or by pointing to a url somewhere?</span></p><p></p><p></p>
<p class="MsoNormal"><span lang="en-gb" xml:lang="en-gb"> </span></p><p></p><p></p>
<p class="MsoNormal" style="margin-bottom:12pt;"><span style="font-size:12pt;font-family:'Times New Roman', serif;" lang="en-gb" xml:lang="en-gb"></span></p><p> </p><p></p>
</div>
</blockquote>
<blockquote style="margin-top:5pt;margin-bottom:5pt;">
<div>
<p class="MsoNormal"><span style="font-size:12pt;font-family:'Times New Roman', serif;" lang="en-gb" xml:lang="en-gb">_______________________________________________<br />
Xerte-dev mailing list<br /><a href="mailto:Xerte-dev@lists.nottingham.ac.uk">Xerte-dev@lists.nottingham.ac.uk</a><br /><a href="http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev">http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev</a></span></p><p></p><p></p>
</div>
</blockquote>
</div>
<br /><font face="Arial" size="2">Glasgow Caledonian University is a registered Scottish charity, number SC021474<br /><br />
Winner: Times Higher Education’s Widening Participation Initiative of the Year 2009 and Herald Society’s Education Initiative of the Year 2009.<br />
http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html<br /><br />
Winner: Times Higher Education’s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners.<br />
http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html<br /></font>
</blockquote></body></html>