Merge branch 'knewter/master'

VERSION

@@ -1 +1 @@
-0.1.1
+0.1.2

app/helpers/content_section_helper.rb

@@ -5,10 +5,13 @@ def rollback_dropdown content_section, options={}
     the_options = options_for_select(versions.reverse)
     the_id = content_section.id
     the_select = content_tag("select", the_options, :onchange => "redirect_to_rollback_link(#{the_id}, this.options[this.selectedIndex].value)")
-    content_tag("div", the_select, :id => options[:id])
+    dropdown = content_tag("div", the_select, :id => options[:id])
+    dropdown
   end
 
   def versions_array content_section
-    (1..content_section.versions.length).to_a
+    content_section.versions.map do |version|
+      ["Version ##{version.version} - " + version.created_at.to_s, version.version]
+    end
   end
 end

app/models/site_setting.rb

@@ -1,4 +1,6 @@
 class SiteSetting < ActiveRecord::Base
+  include CssSanitize
+
   def get_theme_setting
     theme_setting = self.send(:user_theme_name)
     theme_setting.blank? ? 'default' : theme_setting

app/views/admin/site_settings/edit.html.erb

@@ -11,6 +11,7 @@
     <table class='form-table'>
       <%= form_row "Site Title", f.text_field(:site_title) %>
       <%= form_row "Show in-line edit links?", f.check_box(:show_inline_edit_links) %>
+      <%= form_row "Custom CSS", f.text_area(:custom_css) %>
     </table>
   </div>
   <br />

app/views/admin/site_settings/show.html.erb

@@ -7,6 +7,7 @@
   <table class='form-table'>
     <%= form_row "Site Title", @settings.site_title -%>
     <%= form_row "Show in-line edit links?", @settings.show_inline_edit_links? ? 'Yes' : 'No' -%>
+    <%= form_row "Custom CSS", content_tag("pre", get_setting(:custom_css)) -%>
     <%= form_row "User Theme", "<img src='#{fetch_theme_preview_ansuz_themes_path(:id => @settings.get_theme_setting)}' alt='#{@settings.get_theme_setting}' />" + "<br />" + @settings.get_theme_setting + " " + link_to("(change)", choose_theme_admin_site_settings_path) -%>
   </table>
 </div>

app/views/layouts/admin.html.erb

@@ -39,6 +39,7 @@
         <ul>
 
           <li><%= link_to("Visit site", "/") %></li>
+          <li><%= link_to("Google Group", "http://groups.google.com/group/ansuz-cms/topics") %></li>
           <li><%= link_to "File a Bug Report", "http://ansuz.lighthouseapp.com/projects/15780-ansuz/tickets/new" %></li>
           <li><%= link_to "Make a Feature Request", "http://ansuzcms.crowdsound.com/suggestions/new" %></li>
         </ul>

app/views/shared/_stylesheets.html.erb

@@ -6,3 +6,6 @@
 <%= stylesheet_link_tag 'jquery.lightbox-0.5.css' %>
 <%= stylesheet_link_tag 'jquery.popeye.css' %>
 <%= stylesheet_link_tag 'galimg' %>
+<style type='text/css'>
+  <%= get_setting(:custom_css) %>
+</style>

config/routes.rb

@@ -13,6 +13,7 @@
   map.from_plugin :ansuz_feed_reader
   map.from_plugin :ansuz_jskit
   map.from_plugin :ansuz_twitterati
+  map.from_plugin :ansuz_database_dumper
 
   map.resources :tags
   map.resources :users

db/migrate/20090103012646_add_custom_css_to_site_settings.rb

@@ -0,0 +1,9 @@
+class AddCustomCssToSiteSettings < ActiveRecord::Migration
+  def self.up
+    add_column :site_settings, :custom_css, :text
+  end
+
+  def self.down
+    remove_column :site_settings, :custom_css
+  end
+end

db/schema.rb

@@ -9,7 +9,7 @@
 #
 # It's strongly recommended to check this file into your version control system.
 
-ActiveRecord::Schema.define(:version => 20081226000031) do
+ActiveRecord::Schema.define(:version => 20090103012646) do
 
   create_table "ansuz_themes", :force => true do |t|
     t.string   "name"
@@ -34,6 +34,7 @@
     t.integer  "created_by"
     t.datetime "created_at"
     t.datetime "updated_at"
+    t.string   "url"
   end
 
   create_table "content_section_versions", :force => true do |t|
@@ -256,6 +257,7 @@
     t.datetime "updated_at"
     t.string   "site_title"
     t.boolean  "show_inline_edit_links", :default => false
+    t.text     "custom_css"
   end
 
   create_table "taggings", :force => true do |t|

lib/site_settings_helper.rb

@@ -7,6 +7,7 @@ def get_theme_setting
     settings.get_theme_setting
   end
 
+  protected
   def settings
     SiteSetting.find_or_create_by_name(:default)
   end

lib/tasks/backup.rake

@@ -0,0 +1,47 @@
+namespace :db do
+  namespace :backup do
+
+    def interesting_tables
+      ActiveRecord::Base.connection.tables.sort.reject! do |tbl|
+        ['schema_info', 'sessions', 'public_exceptions'].include?(tbl)
+      end
+    end
+
+    desc "Dump entire db."
+    task :write => :environment do 
+
+      dir = RAILS_ROOT + '/db/backup'
+      FileUtils.mkdir_p(dir)
+      FileUtils.chdir(dir)
+
+      interesting_tables.each do |tbl|
+
+        klass = tbl.classify.constantize
+        puts "Writing #{tbl}..."
+        File.open("#{tbl}.yml", 'w+') { |f| YAML.dump klass.find(:all).collect(&:attributes), f }      
+      end
+
+    end
+
+    task :read => [:environment, 'db:schema:load'] do 
+
+      dir = RAILS_ROOT + '/db/backup'
+      FileUtils.mkdir_p(dir)
+      FileUtils.chdir(dir)
+
+      interesting_tables.each do |tbl|
+
+        klass = tbl.classify.constantize
+        ActiveRecord::Base.transaction do 
+
+          puts "Loading #{tbl}..."
+          YAML.load_file("#{tbl}.yml").each do |fixture|
+            ActiveRecord::Base.connection.execute "INSERT INTO #{tbl} (#{fixture.keys.join(",")}) VALUES (#{fixture.values.collect { |value| ActiveRecord::Base.connection.quote(value) }.join(",")})", 'Fixture Insert'
+          end        
+        end
+      end
+
+    end
+
+  end
+end

public/javascripts/fckcustom.js

@@ -31,3 +31,5 @@ FCKConfig.ToolbarSets["Simple"] = [
 	['TextColor','BGColor'],
 	['-','About']
 ] ;
+
+FCKConfig.EnterMode = 'br';

public/proxy.html

@@ -0,0 +1,10 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
+<script type="text/javascript" src="http://www.netvibes.com/js/UWA/Utils/ifproxy.js"></script>
+<title>UWA Container Proxy</title>
+</head>
+<body>
+</body>
+</html>

vendor/plugins/ansuz_content_section/app/views/admin/content_sections/_edit.html.erb

@@ -1,7 +1,9 @@
 <% @content_section = plugin_module if local_assigns.include?(:plugin_module) %>
 <% remote_form_for :content_section, @content_section, :url => admin_content_section_path(@content_section), :html => { :method => :put }, :before => fckeditor_before_js(:content_section, :contents), :success => "update_dropdown_for(#{@content_section.id})" do |f| -%>
   <%= fckeditor_textarea(:content_section, :contents, :toolbarSet => 'Simple', :width => '100%', :height => '400px', :ajax => true) -%><br />
-  <%= rollback_dropdown(@content_section) %>
+  <table class='form-table'>
+    <%= form_row "Revision", rollback_dropdown(@content_section) %>
+  </table>
   <%= submit_tag("Update Content Section", :id => 'close_modal_and_flash') -%>
 <% end -%>
 <div class="clear"></div>

vendor/plugins/ansuz_database_dumper/app/controllers/admin/database_dumpers_controller.rb

@@ -0,0 +1,21 @@
+class Admin::DatabaseDumpersController < Admin::BaseController
+  def show
+  end
+
+  def mysql_dump
+    backup_path = File.join(RAILS_ROOT, "tmp", Time.now.to_f.to_s)
+    config = Rails::Configuration.new.database_configuration[RAILS_ENV]
+    options = []
+    options << "-u#{config["username"]}"
+    options << "-p#{config["password"]}" unless config["password"].blank?
+    options << "#{config["database"]}"
+    command = "mysqldump #{options.join(" ")} > #{backup_path}"
+    logger.info command
+    begin
+      `#{command}`
+      render :file => backup_path
+    ensure
+      File.delete backup_path
+    end
+  end
+end

vendor/plugins/ansuz_database_dumper/app/views/admin/database_dumpers/show.html.erb

@@ -0,0 +1,8 @@
+<%= title "Import / Export your data" %>
+<% content_for :sidebar do %>
+  <div class='note'>
+    At present, only mysql is supported.  We should make that not true.
+  </div>
+<% end %>
+
+<%= link_to "Download a dump of your database", mysql_dump_admin_database_dumper_path %>

vendor/plugins/ansuz_database_dumper/init.rb

@@ -0,0 +1 @@
+Ansuz::PluginManagerInstance.register_admin_menu_entry('Ansuz', 'Database Import/Export', '/admin/database_dumper')

vendor/plugins/ansuz_database_dumper/routes.rb

@@ -0,0 +1,3 @@
+namespace :admin do |admin|
+  admin.resource :database_dumper, :collection => [:mysql_dump]
+end

vendor/plugins/css_file_sanitize/lib/css_sanitize.rb

@@ -0,0 +1,26 @@
+# Include this module into your ActiveRecord model.
+module CssSanitize
+
+  def custom_css=(text)
+    # Mostly stolen from http://code.sixapart.com/svn/CSS-Cleaner/trunk/lib/CSS/Cleaner.pm
+    text = "Error: invalid/disallowed characters in CSS" if text =~ /(\w\/\/)/    # a// comment immediately following a letter
+    text = "Error: invalid/disallowed characters in CSS" if text =~ /(\w\/\/*\*)/ # a/* comment immediately following a letter
+    text = "Error: invalid/disallowed characters in CSS" if text =~ /(\/\*\/)/            # /*/ --> hack attempt, IMO
+
+    # Now, strip out any comments, and do some parsing.
+    no_comments = text.gsub(/(\/\*.*?\*\/)/, "") # filter out any /* ... */
+    no_comments.gsub!("\n", "")
+    # No backslashes allowed
+    evil = [
+      /(\bdata:\b|eval|cookie|\bwindow\b|\bparent\b|\bthis\b)/i, # suspicious javascript-type words
+      /behaviou?r|expression|moz-binding|@import|@charset|(java|vb)?script|[\<]|\\\w/i,
+      /[\<>]/, # back slash, html tags,
+      /[\x7f-\xff]/, # high bytes -- suspect
+      /[\x00-\x08\x0B\x0C\x0E-\x1F]/, #low bytes -- suspect
+      /&\#/, # bad charset
+    ]
+    evil.each { |regex| text = "Error: invalid/disallowed characters in CSS" and break if no_comments =~ regex }
+
+    write_attribute :custom_css, text
+  end
+end

vendor/plugins/css_file_sanitize/test/css_sanitize_test.rb

@@ -0,0 +1,115 @@
+require File.dirname(__FILE__) + '/../test_helper'
+
+class Site < ActiveRecord::Base
+  include CssSanitize
+end
+
+class CssSanitizeTest < Test::Unit::TestCase
+
+  before do
+    @site = Site.new(:name => 'Foo', :owner_id => 1)
+  end
+
+  it "disallows evil css" do
+    bad_strings = [
+      "div.foo { width: 500px; behavior: url(http://foo.com); height: 200px; }",
+      ".test { color: red; background-image: url('javascript:alert');  border: 1px solid brown; }",
+      "div.foo { width: 500px; -moz-binding: foo; height: 200px; }",
+
+      # no @import for you
+      "\@import url(javascript:alert('Your cookie:'+document.cookie));",
+
+      # no behavior either
+      "behaviour:expression(function(element){alert(&#39;xss&#39;);}(this));'>",
+
+      # case-sensitivity test
+      '-Moz-binding: url("http://www.example.comtest.xml");',
+
+      # \uxxrl unicode
+      "background:\75rl('javascript:alert(\"\\75rl\")');",
+      "background:&#x75;rl(javascript:alert('html &amp;#x75;'))",
+      "b\nackground: url(javascript:alert('line-broken background '))",
+      "background:&#xff55;rl(javascript:alert('&amp;#xff55;rl(full-width u)'))",
+      "background:&#117;rl(javascript:alert(&amp;#117;rl'))",
+      "background:&#x75;rl(javascript:alert('&amp;#x75;rl'))",
+      "background:\75rl('javascript:alert(\"\\75rl\")')",
+
+      # \\d gets parsed out on ffx and ie
+      "background:url(&quot;javascri\\dpt:alert('injected js goes here')&quot;)",
+
+      # http://rt.livejournal.org/Ticket/Display.html?id=436
+      '-\4d oz-binding: url("http://localhost/test.xml#foo");',
+
+      # css comments are ignored sometimes
+      "xss:expr/*XSS*/ession(alert('XSS'));",
+
+      # html comments? fail
+      "background:url(java<!-- -->script:alert('XSS'));",
+
+      # weird comments
+      'color: e/* * / */xpression("r" + "e" + "d");',
+
+      # weird comments to really test that regex
+      'color: e/*/**/xpression("r" + "e" + "d");',
+
+      # we're not using a parser, but nonetheless ... if we were..
+      <<-STR
+      p {
+      dummy: '//'; background:url(javascript:alert('XSS'));
+      }
+STR
+    ]
+    bad_strings.each do |string|
+      @site.custom_css = string
+      @site.custom_css.should == "Error: invalid/disallowed characters in CSS"
+    end
+  end
+
+
+  it "allows good css" do
+    good_strings = [
+      ".test { color: red; border: 1px solid brown; }",
+      "h1 { background: url(http://foobar.com/meh.jpg)}",
+      "div.foo { width: 500px; height: 200px; }",
+      "GI b gkljfl kj { { { ********" # gibberish, but should work.
+    ]
+    good_strings.each do |string|
+      @site.custom_css = string
+      @site.custom_css.should == string
+    end
+
+  end
+
+  it "does not strip real comments" do
+    text = <<STR
+a.foo { bar: x }
+
+/* Group: header */
+a.bar { x: poo }
+STR
+    @site.custom_css = text
+    @site.custom_css.should == text
+  end
+
+  it "does strip suspicious comments" do
+          text = <<-STR
+    a.foo { ba/* hack */r: x }
+
+    /* Group: header */
+    a.bar { x: poo }
+STR
+    @site.custom_css = text
+    @site.custom_css.should == "Error: invalid/disallowed characters in CSS"
+    @site.custom_css = "Foo /*/**/ Bar"
+    @site.custom_css.should == "Error: invalid/disallowed characters in CSS"
+  end
+
+  it "doesn't allow bad css" do
+    @site.custom_css = <<STR
+test{ width: expression(alert("sux 2 be u")); }
+a:link { color: red }
+STR
+    @site.custom_css.should == "Error: invalid/disallowed characters in CSS"
+  end
+
+end

vendor/plugins/fckeditor/lib/fckeditor.rb

@@ -44,10 +44,10 @@ def fckeditor_textarea_tag(name, value='', options={})
       js_path = "#{ActionController::Base.relative_url_root}/javascripts"
       base_path = "#{js_path}/fckeditor/"
       return inputs <<
-        javascript_tag("var oFCKeditor = new FCKeditor('#{options[:id]}', '#{width}', '#{height}', '#{toolbarSet}');\n" <<
+        javascript_tag("jQuery(document).ready(function(){ var oFCKeditor = new FCKeditor('#{options[:id]}', '#{width}', '#{height}', '#{toolbarSet}');\n" <<
                        "oFCKeditor.BasePath = \"#{base_path}\"\n" <<
                        "oFCKeditor.Config['CustomConfigurationsPath'] = '#{js_path}/fckcustom.js';\n" <<
-                       "oFCKeditor.ReplaceTextarea();\n")
+                       "oFCKeditor.ReplaceTextarea(); });\n")
     end