fixing the bug where you could execute erb in cms layouts

Oleg committed Sep 22, 2011

commit bec21cf34ab38ffbec8d1b71caad86bcf8d091bf

Showing 3 changed files with 67 additions and 8 deletions

app/models/cms/page.rb +8 -1

@@	@@ -100,7 +100,14 @@ class Cms::Page < ActiveRecord::Base
	@content = nil if force_reload
	@content \|\|= begin
	self.tags = [] # resetting
-	layout ? ComfortableMexicanSofa::Tag.process_content(self, layout.merged_content) : ''
+	if layout
+	ComfortableMexicanSofa::Tag.process_content(
+	self,
+	ComfortableMexicanSofa::Tag.sanitize_irb(layout.merged_content)
+	)
+	else
+	''
+	end
	end
	end

comfortable_mexican_sofa/tag.rb b/lib/comfortable_mexican_sofa/tag.rb +11 -7

@@	@@ -67,13 +67,8 @@ module ComfortableMexicanSofa::Tag
	# Content that is used during page rendering. Outputting existing content
	# as a default.
	def render
-	# cleaning content from possible irb stuff. Partial and Helper tags are OK.
-	if !ComfortableMexicanSofa.config.allow_irb &&
-	![ComfortableMexicanSofa::Tag::Partial, ComfortableMexicanSofa::Tag::Helper].member?(self.class)
-	content.to_s.gsub('<%', '<%').gsub('%>', '%>')
-	else
-	content.to_s
-	end
+	ignore = [ComfortableMexicanSofa::Tag::Partial, ComfortableMexicanSofa::Tag::Helper].member?(self.class)
+	ComfortableMexicanSofa::Tag.sanitize_irb(content, ignore)
	end

	# Find or initialize Cms::Block object
@@	@@ -131,6 +126,15 @@ private
	end.join('')
	end

+	# Cleaning content from possible irb stuff. Partial and Helper tags are OK.
+	def self.sanitize_irb(content, ignore = false)
+	if ComfortableMexicanSofa.config.allow_irb \|\| ignore
+	content.to_s
+	else
+	content.to_s.gsub('<%', '<%').gsub('%>', '%>')
+	end
+	end
+
	def self.included(tag)
	tag.send(:include, ComfortableMexicanSofa::Tag::InstanceMethods)
	tag.send(:extend, ComfortableMexicanSofa::Tag::ClassMethods)

test/unit/tag_test.rb +48 -0

@@	@@ -220,4 +220,52 @@ class TagTest < ActiveSupport::TestCase
	assert !tag.is_cms_block?
	end

+	def test_content_with_irb_disabled
+	assert_equal false, ComfortableMexicanSofa.config.allow_irb
+
+	site = cms_sites(:default)
+	layout = site.layouts.create!(
+	:slug => 'no-irb-layout',
+	:content => '<% 1 + 1 %> {{cms:page:content}} <%= 1 + 1 %>'
+	)
+	snippet = site.snippets.create!(
+	:slug => 'no-irb-snippet',
+	:content => '<% 2 + 2 %> snippet <%= 2 + 2 %>'
+	)
+	page = site.pages.create!(
+	:slug => 'no-irb-page',
+	:parent_id => cms_pages(:default).id,
+	:layout_id => layout.id,
+	:blocks_attributes => [
+	{ :label => 'content',
+	:content => 'text {{ cms:snippet:no-irb-snippet }} {{ cms:partial:path/to }} {{ cms:helper:method }} text' }
+	]
+	)
+	assert_equal "<% 1 + 1 %> text <% 2 + 2 %> snippet <%= 2 + 2 %> <%= render :partial => 'path/to' %> <%= method() %> text <%= 1 + 1 %>", page.content
+	end
+
+	def test_content_with_irb_enabled
+	ComfortableMexicanSofa.config.allow_irb = true
+
+	site = cms_sites(:default)
+	layout = site.layouts.create!(
+	:slug => 'irb-layout',
+	:content => '<% 1 + 1 %> {{cms:page:content}} <%= 1 + 1 %>'
+	)
+	snippet = site.snippets.create!(
+	:slug => 'irb-snippet',
+	:content => '<% 2 + 2 %> snippet <%= 2 + 2 %>'
+	)
+	page = site.pages.create!(
+	:slug => 'irb-page',
+	:parent_id => cms_pages(:default).id,
+	:layout_id => layout.id,
+	:blocks_attributes => [
+	{ :label => 'content',
+	:content => 'text {{ cms:snippet:irb-snippet }} {{ cms:partial:path/to }} {{ cms:helper:method }} text' }
+	]
+	)
+	assert_equal "<% 1 + 1 %> text <% 2 + 2 %> snippet <%= 2 + 2 %> <%= render :partial => 'path/to' %> <%= method() %> text <%= 1 + 1 %>", page.content
+	end
+
	end