@@ -297,11 +297,16 @@ class BasketsController < ApplicationController def update_appearance @basket = Basket.find(params[:id]) do_not_sanitize = (params[:settings][:do_not_sanitize_footer_content] == 'true') + original_html = params[:settings][:additional_footer_content] + sanitized_html = original_html unless do_not_sanitize && @site_admin - params[:settings][:additional_footer_content] = sanitize(params[:settings][:additional_footer_content]) + sanitized_html = sanitize(original_html) + params[:settings][:additional_footer_content] = sanitized_html end set_settings flash[:notice] = 'Basket appearance was updated.' + logger.debug("sanitized yes") if original_html != sanitized_html + flash[:notice] += ' Your submitted footer content was changed for security reasons.' if original_html != sanitized_html redirect_to :action => :appearance end @@ -378,7 +383,7 @@ class BasketsController < ApplicationController end def current_basket_is_selected? - params[:id].blank? or @current_basket.id == params[:id] + params[:id].blank? || @current_basket.id == params[:id] end private app/controllers/baskets_controller.rb 74f5860aa9e549b9c585ef32bb5709538b1e6c75 Walter McGinnis walter@katipo.co.nz http://github.com/kete/kete/commit/6eff4ae9f97657f174e1222f443079613a9e52bf 6eff4ae9f97657f174e1222f443079613a9e52bf 2008-11-20T19:01:43-08:00 2008-11-20T19:01:43-08:00 refinement: adding message if the submitted html is changed because it is insecure, so user doesn't get unexpected results. 91829ee9e78c657e53e01f154d2d4d5177ad7bb8 Walter McGinnis walter@katipo.co.nz