Download as
Browse Code »

Commit a9988d7ed90fca51bf88f0edeffd11f75f275151

Authored by Antonio Terceiro
1 parent a1fc3c49
Exists in master and in 29 other branches add_member_task_reject_details, admin_visible_profile, article-list-template, community_notifications, contact_admin_translation, event_fixes, fix_comments_pagination, fix_rails4_organization_ratings, fix_sign_up_form, follow_step_fix, forum_topic_creation, mirror_block_improvements, multi_env_on_remote_user, new_security, noosfero_spb_ci, organization_ratings_improvements, organization_ratings_link_to_profile_stable-spb-1.3, organization_ratings_translations_fix, profile_api_improvements, ratings_minor_fixes, remote_user_fix, send_email_to_admins, stable-spb-1.3, stable-spb-1.3-fixes, stable-spb-1.4, stable-spb-1.5, suggest_rejected_value, web_steps_improvements, xss_terminate_custom_options

ActionItem1018: allow entering arbitraty HTML 

We not trust completely the environment administrator to not enter
bad/dangerous HTML. Even the server side filter (xss_terminate) was
disabled.
Showing 3 changed files with 20 additions and 3 deletions   Show diff stats
app/models/environment.rb
  Diff comments   View file @a9988d7
... ... @@ -43,6 +43,7 @@ class Environment < ActiveRecord::Base
43 43  
44 44 'enterprise_activation' => _('Enable activation of enterprises'),
45 45 'warn_obsolete_browser' => _('Enable warning of obsolete browser'),
  46 + 'wysiwyg_editor_for_environment_home' => _('Use WYSIWYG editor to edit environment home page'),
46 47 }
47 48 end
48 49  
... ... @@ -385,7 +386,8 @@ class Environment < ActiveRecord::Base
385 386  
386 387 validates_format_of :contact_email, :with => Noosfero::Constants::EMAIL_FORMAT, :if => (lambda { |record| ! record.contact_email.blank? })
387 388  
388   - xss_terminate :only => [ :description, :message_for_disabled_enterprise ], :with => 'white_list'
  389 + xss_terminate :only => [ :message_for_disabled_enterprise ], :with => 'white_list'
  390 +
389 391  
390 392 # #################################################
391 393 # Business logic in general
... ...
app/views/admin_panel/site_info.rhtml
  Diff comments   View file @a9988d7
1 1 <h2><%= _('Site info') %></h2>
2 2  
3   -<%= render :file => 'shared/tiny_mce' %>
  3 +<% if @environment.enabled?('wysiwyg_editor_for_environment_home') %>
  4 + <%= render :file => 'shared/tiny_mce' %>
  5 +<% end %>
4 6  
5 7 <% labelled_form_for :environment, @environment do |f| %>
6 8  
7   - <%= f.text_area :description, :cols => 40, :style => 'width: 90%' %>
  9 + <%= labelled_form_field _('Homepage content'), text_area(:environment, :description, :cols => 40, :style => 'width: 90%') %>
8 10  
9 11 <% button_bar do %>
10 12 <%= submit_button(:save, _('Save')) %>
... ...
test/functional/admin_panel_controller_test.rb
  Diff comments   View file @a9988d7
... ... @@ -140,4 +140,17 @@ class AdminPanelControllerTest &lt; Test::Unit::TestCase
140 140  
141 141 assert_equal profile_template, e.enterprise_template
142 142 end
  143 +
  144 + should 'not use WYSWYIG if disabled' do
  145 + e = Environment.default; e.disable('wysiwyg_editor_for_environment_home'); e.save!
  146 + get :site_info
  147 + assert_no_tag :tag => "script", :content => /tinyMCE\.init/
  148 + end
  149 +
  150 + should 'use WYSWYIG if enabled' do
  151 + e = Environment.default; e.enable('wysiwyg_editor_for_environment_home'); e.save!
  152 + get :site_info
  153 + assert_tag :tag => "script", :content => /tinyMCE\.init/
  154 + end
  155 +
143 156 end
... ...