Commit 6eff4ae9f97657f174e1222f443079613a9e52bf to kete's kete

kete / kete

Description:	Kete was developed by Horowhenua Library Trust and Katipo Communications Ltd. to build a digital library of Horowhenua material. edit
Homepage:	http://kete.net.nz/ edit
Public Clone URL:	git://github.com/kete/kete.git Give this clone URL to anyone. `git clone git://github.com/kete/kete.git`
Your Clone URL:	git@github.com:kete/kete.git Use this clone URL yourself. `git clone git@github.com:kete/kete.git`

refinement: adding message if the submitted html is changed because it
is insecure, so user doesn't get unexpected results.

walter (author)

Thu Nov 20 19:01:43 -0800 2008

commit 6eff4ae9f97657f174e1222f443079613a9e52bf
tree 91829ee9e78c657e53e01f154d2d4d5177ad7bb8
parent 74f5860aa9e549b9c585ef32bb5709538b1e6c75

app/controllers/baskets_controller.rb

app/controllers/baskets_controller.rb

0
@@ -297,11 +297,16 @@ class BasketsController < ApplicationController
0
   def update_appearance
0
     @basket = Basket.find(params[:id])
0
     do_not_sanitize = (params[:settings][:do_not_sanitize_footer_content] == 'true')
0
+    original_html = params[:settings][:additional_footer_content]
0
+    sanitized_html = original_html
0
     unless do_not_sanitize && @site_admin
0
-      params[:settings][:additional_footer_content] = sanitize(params[:settings][:additional_footer_content])
0
+      sanitized_html = sanitize(original_html)
0
+      params[:settings][:additional_footer_content] = sanitized_html
0
     end
0
     set_settings
0
     flash[:notice] = 'Basket appearance was updated.'
0
+    logger.debug("sanitized yes") if original_html != sanitized_html
0
+    flash[:notice] += ' Your submitted footer content was changed for security reasons.' if original_html != sanitized_html
0
     redirect_to :action => :appearance
0
   end
0
 
0
@@ -378,7 +383,7 @@ class BasketsController < ApplicationController
0
   end
0
 
0
   def current_basket_is_selected?
0
-    params[:id].blank? or @current_basket.id == params[:id]
0
+    params[:id].blank? || @current_basket.id == params[:id]
0
   end
0
 
0
   private

Comments