Download as
Browse Code »

Commit a9988d7ed90fca51bf88f0edeffd11f75f275151

Authored by Antonio Terceiro
1 parent a1fc3c49
Exists in master and in 28 other branches 1.2+SPB2, 2_split_by_role, add_fields_in_api, api_fixies, api_pagination, api_private_token, api_tasks, article_hit_count, blog_page_bug, checkbox_to_user_can_edit_page, communities_ratings, communities_ratings_moderation, community_ratings_rebase, fix_cloned_article_parent, fix_gallery_image_url, fix_javascript_categories, fix_optional_fields, fix_suggest_article, fix_user_email_validation, highlight_block_fix, notification_plugin, notification_plugin_rebase, script_to_update, split_by_role, stable, temp_ratings, tests, tests_fixies

ActionItem1018: allow entering arbitraty HTML 

We not trust completely the environment administrator to not enter
bad/dangerous HTML. Even the server side filter (xss_terminate) was
disabled.
Showing 3 changed files with 20 additions and 3 deletions   Show diff stats
app/models/environment.rb
  Diff comments   View file @a9988d7
... ... @@ -43,6 +43,7 @@ class Environment < ActiveRecord::Base
43 43  
44 44 'enterprise_activation' => _('Enable activation of enterprises'),
45 45 'warn_obsolete_browser' => _('Enable warning of obsolete browser'),
  46 + 'wysiwyg_editor_for_environment_home' => _('Use WYSIWYG editor to edit environment home page'),
46 47 }
47 48 end
48 49  
... ... @@ -385,7 +386,8 @@ class Environment < ActiveRecord::Base
385 386  
386 387 validates_format_of :contact_email, :with => Noosfero::Constants::EMAIL_FORMAT, :if => (lambda { |record| ! record.contact_email.blank? })
387 388  
388   - xss_terminate :only => [ :description, :message_for_disabled_enterprise ], :with => 'white_list'
  389 + xss_terminate :only => [ :message_for_disabled_enterprise ], :with => 'white_list'
  390 +
389 391  
390 392 # #################################################
391 393 # Business logic in general
... ...
app/views/admin_panel/site_info.rhtml
  Diff comments   View file @a9988d7
1 1 <h2><%= _('Site info') %></h2>
2 2  
3   -<%= render :file => 'shared/tiny_mce' %>
  3 +<% if @environment.enabled?('wysiwyg_editor_for_environment_home') %>
  4 + <%= render :file => 'shared/tiny_mce' %>
  5 +<% end %>
4 6  
5 7 <% labelled_form_for :environment, @environment do |f| %>
6 8  
7   - <%= f.text_area :description, :cols => 40, :style => 'width: 90%' %>
  9 + <%= labelled_form_field _('Homepage content'), text_area(:environment, :description, :cols => 40, :style => 'width: 90%') %>
8 10  
9 11 <% button_bar do %>
10 12 <%= submit_button(:save, _('Save')) %>
... ...
test/functional/admin_panel_controller_test.rb
  Diff comments   View file @a9988d7
... ... @@ -140,4 +140,17 @@ class AdminPanelControllerTest &lt; Test::Unit::TestCase
140 140  
141 141 assert_equal profile_template, e.enterprise_template
142 142 end
  143 +
  144 + should 'not use WYSWYIG if disabled' do
  145 + e = Environment.default; e.disable('wysiwyg_editor_for_environment_home'); e.save!
  146 + get :site_info
  147 + assert_no_tag :tag => "script", :content => /tinyMCE\.init/
  148 + end
  149 +
  150 + should 'use WYSWYIG if enabled' do
  151 + e = Environment.default; e.enable('wysiwyg_editor_for_environment_home'); e.save!
  152 + get :site_info
  153 + assert_tag :tag => "script", :content => /tinyMCE\.init/
  154 + end
  155 +
143 156 end
... ...