public
Description: Kete was developed by Horowhenua Library Trust and Katipo Communications Ltd. to build a digital library of Horowhenua material.
Homepage: http://kete.net.nz/
Clone URL: git://github.com/kete/kete.git
refinement: adding message if the submitted html is changed because it
is insecure, so user doesn't get unexpected results.
walter (author)
Thu Nov 20 19:01:43 -0800 2008
commit  6eff4ae9f97657f174e1222f443079613a9e52bf
tree    91829ee9e78c657e53e01f154d2d4d5177ad7bb8
parent  74f5860aa9e549b9c585ef32bb5709538b1e6c75
...
297
298
299
 
 
300
301
 
 
302
303
304
 
 
305
306
307
...
378
379
380
381
 
382
383
384
...
297
298
299
300
301
302
 
303
304
305
306
307
308
309
310
311
312
...
383
384
385
 
386
387
388
389
0
@@ -297,11 +297,16 @@ class BasketsController < ApplicationController
0
   def update_appearance
0
     @basket = Basket.find(params[:id])
0
     do_not_sanitize = (params[:settings][:do_not_sanitize_footer_content] == 'true')
0
+    original_html = params[:settings][:additional_footer_content]
0
+    sanitized_html = original_html
0
     unless do_not_sanitize && @site_admin
0
-      params[:settings][:additional_footer_content] = sanitize(params[:settings][:additional_footer_content])
0
+      sanitized_html = sanitize(original_html)
0
+      params[:settings][:additional_footer_content] = sanitized_html
0
     end
0
     set_settings
0
     flash[:notice] = 'Basket appearance was updated.'
0
+    logger.debug("sanitized yes") if original_html != sanitized_html
0
+    flash[:notice] += ' Your submitted footer content was changed for security reasons.' if original_html != sanitized_html
0
     redirect_to :action => :appearance
0
   end
0
 
0
@@ -378,7 +383,7 @@ class BasketsController < ApplicationController
0
   end
0
 
0
   def current_basket_is_selected?
0
-    params[:id].blank? or @current_basket.id == params[:id]
0
+    params[:id].blank? || @current_basket.id == params[:id]
0
   end
0
 
0
   private

Comments