I don't get what you're asking for. If you choose to create your own policy and part of your application uses something that your own policy discards, there's nothing web2py can do.
On Tuesday, December 30, 2014 7:32:15 AM UTC-8, Niphlod wrote:I don't get what you're asking for. If you choose to create your own policy and part of your application uses something that your own policy discards, there's nothing web2py can do.
If it were me, I'd be asking for suggestions that either
a) modify the policy in a way that maintains security but allows the calendar.js to work
(this would likely be a suggestion from someone with experience with security policies)
b) suggest a way to remove the dependency on 'eval'
(this would likely be a suggestion from someone with experience swapping js files under web2py)
On Tuesday, December 30, 2014 8:35:23 PM UTC+1, Dave S wrote:
On Tuesday, December 30, 2014 7:32:15 AM UTC-8, Niphlod wrote:I don't get what you're asking for. If you choose to create your own policy and part of your application uses something that your own policy discards, there's nothing web2py can do.
If it were me, I'd be asking for suggestions that either
a) modify the policy in a way that maintains security but allows the calendar.js to work
(this would likely be a suggestion from someone with experience with security policies)the policy is a single-line header with no possibility to set "per-file" policies, i.e. allow eval for just calendar.js
b) suggest a way to remove the dependency on 'eval'
(this would likely be a suggestion from someone with experience swapping js files under web2py)
The scaffolding app "adoptes" a calendar widget that is not forced upon anybody (web2py is a python framework to make apps, and the scaffolding app is not a solution for every problem). If "eval" in calendar.js is such a threat that the app (or the coder) can't take, he should evaluate another widget.
Is there a lesser setting that allows eval without allowing too much of other "threats"? Could changing to that setting
be justified to management (aside from the IE defense: "The normal user has a working visit if we do it that way").
So the OP should be able to strip out calendar.js, and substitute another? Does someone in the community have pointers to a good choice, especially one that can be slid in easily? Are there already examples at web2pyslices.com? (My quick scan only came across an unanswered question at
<URL:http://www.web2pyslices.com/slice/show/1525/how-to-get-the-drop-down-date-selector-by-default>)
Everyone can...the question is, did anybody try before looking into pre-baked solutions or any app MUST come from a general cut&paste of the internet :-P ? This carries a different widget that is compatible with bs3 https://github.com/niphlod/cs_monitor_plugin