preventing irb from being executed from pages content
Oleg
committed Feb 04, 2011
commit 3bcf6c05b6997e2e7a4725816ff7899fb7804186
Showing 7
changed files with
60 additions
and 4 deletions
.gemtest
+0
-0
config/initializers/comfortable_mexican_sofa.rb
+5
-0
| @@ | @@ -20,6 +20,11 @@ ComfortableMexicanSofa.configure do |config| |
| # Let CMS handle site creation and management. Enabled by default. | |
| # config.auto_manage_sites = true | |
| + | |
| + | # By default you cannot have irb code inside your layouts/pages/snippets. |
| + | # Generally this is to prevent putting something like this: |
| + | # <% User.delete_all %> but if you really want to allow it... |
| + | # config.disable_irb = true |
| end | |
| # Default credentials for ComfortableMexicanSofa::HttpAuth | |
comfortable_mexican_sofa/cms_tag.rb b/lib/comfortable_mexican_sofa/cms_tag.rb
+6
-1
| @@ | @@ -67,7 +67,12 @@ module CmsTag |
| # Content that is used during page rendering. Outputting existing content | |
| # as a default. | |
| def render | |
| - | content.to_s |
| + | # cleaning content from possible irb stuff. Partial and Helper tags are OK. |
| + | if ComfortableMexicanSofa.config.disable_irb && ![CmsTag::Partial, CmsTag::Helper].member?(self.class) |
| + | content.to_s.gsub('<%', '<%').gsub('%>', '%>') |
| + | else |
| + | content.to_s |
| + | end |
| end | |
| end | |
comfortable_mexican_sofa/configuration.rb b/lib/comfortable_mexican_sofa/configuration.rb
+5
-1
| @@ | @@ -21,14 +21,18 @@ class ComfortableMexicanSofa::Configuration |
| # Let CMS handle site creation and management. Enabled by default. | |
| attr_accessor :auto_manage_sites | |
| + | # Not allowing irb code to be run inside page content. True by default. |
| + | attr_accessor :disable_irb |
| + | |
| # Configuration defaults | |
| def initialize | |
| - | @cms_title = 'ComfortableMexicanSofa' |
| + | @cms_title = 'ComfortableMexicanSofa MicroCMS' |
| @authentication = 'ComfortableMexicanSofa::HttpAuth' | |
| @seed_data_path = nil | |
| @admin_route_prefix = 'cms-admin' | |
| @admin_route_redirect = "/#{@admin_route_prefix}/pages" | |
| @auto_manage_sites = true | |
| + | @disable_irb = true |
| end | |
| end | |
| \ No newline at end of file | |
test/functional/cms_content_controller_test.rb
+40
-0
| @@ | @@ -67,6 +67,46 @@ class CmsContentControllerTest < ActionController::TestCase |
| assert_response 404 | |
| end | |
| + | def test_render_page_with_irb_disabled |
| + | assert ComfortableMexicanSofa.config.disable_irb |
| + | |
| + | irb_page = cms_sites(:default).cms_pages.create!( |
| + | :label => 'irb', |
| + | :slug => 'irb', |
| + | :parent_id => cms_pages(:default).id, |
| + | :cms_layout_id => cms_layouts(:default).id, |
| + | :is_published => '1', |
| + | :cms_blocks_attributes => [ |
| + | { :label => 'default_page_text', |
| + | :type => 'CmsTag::PageText', |
| + | :content => 'text <%= 2 + 2 %> text' } |
| + | ] |
| + | ) |
| + | get :render_html, :cms_path => 'irb' |
| + | assert_response :success |
| + | assert_match "text <%= 2 + 2 %> text", response.body |
| + | end |
| + | |
| + | def test_render_page_with_irb_enabled |
| + | ComfortableMexicanSofa.config.disable_irb = false |
| + | |
| + | irb_page = cms_sites(:default).cms_pages.create!( |
| + | :label => 'irb', |
| + | :slug => 'irb', |
| + | :parent_id => cms_pages(:default).id, |
| + | :cms_layout_id => cms_layouts(:default).id, |
| + | :is_published => '1', |
| + | :cms_blocks_attributes => [ |
| + | { :label => 'default_page_text', |
| + | :type => 'CmsTag::PageText', |
| + | :content => 'text <%= 2 + 2 %> text' } |
| + | ] |
| + | ) |
| + | get :render_html, :cms_path => 'irb' |
| + | assert_response :success |
| + | assert_match "text 4 text", response.body |
| + | end |
| + | |
| def test_render_css | |
| get :render_css, :id => cms_layouts(:default).slug | |
| assert_response :success | |
test/test_helper.rb
+2
-1
| @@ | @@ -14,12 +14,13 @@ class ActiveSupport::TestCase |
| # resetting default configuration | |
| def reset_config | |
| ComfortableMexicanSofa.configure do |config| | |
| - | config.cms_title = 'ComfortableMexicanSofa' |
| + | config.cms_title = 'ComfortableMexicanSofa MicroCMS' |
| config.authentication = 'ComfortableMexicanSofa::HttpAuth' | |
| config.seed_data_path = nil | |
| config.admin_route_prefix = 'cms-admin' | |
| config.admin_route_redirect = "/cms-admin/pages" | |
| config.auto_manage_sites = true | |
| + | config.disable_irb = true |
| end | |
| ComfortableMexicanSofa::HttpAuth.username = 'username' | |
| ComfortableMexicanSofa::HttpAuth.password = 'password' | |
test/unit/cms_configuration_test.rb
+2
-1
| @@ | @@ -4,11 +4,12 @@ class CmsConfigurationTest < ActiveSupport::TestCase |
| def test_configuration_presense | |
| assert config = ComfortableMexicanSofa.configuration | |
| - | assert_equal 'ComfortableMexicanSofa', config.cms_title |
| + | assert_equal 'ComfortableMexicanSofa MicroCMS', config.cms_title |
| assert_equal 'ComfortableMexicanSofa::HttpAuth', config.authentication | |
| assert_equal nil, config.seed_data_path | |
| assert_equal 'cms-admin', config.admin_route_prefix | |
| assert_equal '/cms-admin/pages', config.admin_route_redirect | |
| + | assert_equal true, config.disable_irb |
| end | |
| def test_initialization_overrides | |