On Feb 16, 11:54 am, FunkyRes <[email protected]> wrote: > OK - I really do need to be able to define a function in the head and > call a function with an argument. > > The form allows for uploading files. Thus I set a random upload > identifier so that when submit is pressed and the form client side > validates, a new window pops up with the upload identifies so get the > progress of the upload from my server. > > The only way to move that to an external js file is to make the > external js file dynamic and pass the upload identifier to it as a get > variable. > > If that's what has to be done I suppose it has to be done, but there > really should be a way to white list inline javascript functions - > allow them if defined in the document head, and allow calling > functions with arguments - since the policy restricts where external > js can come from, the only functions that could be called are either > standard javascript functions or functions defined in an allowed js > file or the document head. Perhaps you could disallow javascript > arguments that call a url not in an allowed domain (but you probably > need to allow a url in the argument for things like opening up an > upload progress window)
OK - I'm a bit embarrased, I think it is clear I'm not a web dev by day ... I can get the upload identifier externally by getElementById and looking at the value. I've got everything in that script external now and working peachy, so everything in this post can be dis-regarded. _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
