Commit a9988d7ed90fca51bf88f0edeffd11f75f275151
1 parent
a1fc3c49
Exists in
master
and in
28 other branches
ActionItem1018: allow entering arbitraty HTML
We not trust completely the environment administrator to not enter bad/dangerous HTML. Even the server side filter (xss_terminate) was disabled.
Showing
3 changed files
with
20 additions
and
3 deletions
Show diff stats
app/models/environment.rb
| @@ -43,6 +43,7 @@ class Environment < ActiveRecord::Base | @@ -43,6 +43,7 @@ class Environment < ActiveRecord::Base | ||
| 43 | 43 | ||
| 44 | 'enterprise_activation' => _('Enable activation of enterprises'), | 44 | 'enterprise_activation' => _('Enable activation of enterprises'), |
| 45 | 'warn_obsolete_browser' => _('Enable warning of obsolete browser'), | 45 | 'warn_obsolete_browser' => _('Enable warning of obsolete browser'), |
| 46 | + 'wysiwyg_editor_for_environment_home' => _('Use WYSIWYG editor to edit environment home page'), | ||
| 46 | } | 47 | } |
| 47 | end | 48 | end |
| 48 | 49 | ||
| @@ -385,7 +386,8 @@ class Environment < ActiveRecord::Base | @@ -385,7 +386,8 @@ class Environment < ActiveRecord::Base | ||
| 385 | 386 | ||
| 386 | validates_format_of :contact_email, :with => Noosfero::Constants::EMAIL_FORMAT, :if => (lambda { |record| ! record.contact_email.blank? }) | 387 | validates_format_of :contact_email, :with => Noosfero::Constants::EMAIL_FORMAT, :if => (lambda { |record| ! record.contact_email.blank? }) |
| 387 | 388 | ||
| 388 | - xss_terminate :only => [ :description, :message_for_disabled_enterprise ], :with => 'white_list' | 389 | + xss_terminate :only => [ :message_for_disabled_enterprise ], :with => 'white_list' |
| 390 | + | ||
| 389 | 391 | ||
| 390 | # ################################################# | 392 | # ################################################# |
| 391 | # Business logic in general | 393 | # Business logic in general |
app/views/admin_panel/site_info.rhtml
| 1 | <h2><%= _('Site info') %></h2> | 1 | <h2><%= _('Site info') %></h2> |
| 2 | 2 | ||
| 3 | -<%= render :file => 'shared/tiny_mce' %> | 3 | +<% if @environment.enabled?('wysiwyg_editor_for_environment_home') %> |
| 4 | + <%= render :file => 'shared/tiny_mce' %> | ||
| 5 | +<% end %> | ||
| 4 | 6 | ||
| 5 | <% labelled_form_for :environment, @environment do |f| %> | 7 | <% labelled_form_for :environment, @environment do |f| %> |
| 6 | 8 | ||
| 7 | - <%= f.text_area :description, :cols => 40, :style => 'width: 90%' %> | 9 | + <%= labelled_form_field _('Homepage content'), text_area(:environment, :description, :cols => 40, :style => 'width: 90%') %> |
| 8 | 10 | ||
| 9 | <% button_bar do %> | 11 | <% button_bar do %> |
| 10 | <%= submit_button(:save, _('Save')) %> | 12 | <%= submit_button(:save, _('Save')) %> |
test/functional/admin_panel_controller_test.rb
| @@ -140,4 +140,17 @@ class AdminPanelControllerTest < Test::Unit::TestCase | @@ -140,4 +140,17 @@ class AdminPanelControllerTest < Test::Unit::TestCase | ||
| 140 | 140 | ||
| 141 | assert_equal profile_template, e.enterprise_template | 141 | assert_equal profile_template, e.enterprise_template |
| 142 | end | 142 | end |
| 143 | + | ||
| 144 | + should 'not use WYSWYIG if disabled' do | ||
| 145 | + e = Environment.default; e.disable('wysiwyg_editor_for_environment_home'); e.save! | ||
| 146 | + get :site_info | ||
| 147 | + assert_no_tag :tag => "script", :content => /tinyMCE\.init/ | ||
| 148 | + end | ||
| 149 | + | ||
| 150 | + should 'use WYSWYIG if enabled' do | ||
| 151 | + e = Environment.default; e.enable('wysiwyg_editor_for_environment_home'); e.save! | ||
| 152 | + get :site_info | ||
| 153 | + assert_tag :tag => "script", :content => /tinyMCE\.init/ | ||
| 154 | + end | ||
| 155 | + | ||
| 143 | end | 156 | end |