From 8dfefe5094997f3f84bb4ffd419f1b8df24920e5 Mon Sep 17 00:00:00 2001
From: did <didier@nocoffee.fr>
Date: Wed, 14 Sep 2011 11:32:14 +0200
Subject: [PATCH] fix issue #201

---
 app/controllers/admin/api_contents_controller.rb      |  1 +
 doc/TODO                                              |  1 -
 lib/locomotive/liquid/filters/html.rb                 |  2 ++
 .../controllers/admin/api_contents_controller_spec.rb | 11 +++++++++++
 4 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/app/controllers/admin/api_contents_controller.rb b/app/controllers/admin/api_contents_controller.rb
index a465b5b5..bf605690 100644
--- a/app/controllers/admin/api_contents_controller.rb
+++ b/app/controllers/admin/api_contents_controller.rb
@@ -50,6 +50,7 @@ module Admin
 
     def sanitize_content_params
       (params[:content] || {}).each do |key, value|
+        next unless value.is_a?(String)
         params[:content][key] = Sanitize.clean(value, Sanitize::Config::BASIC)
       end
     end
diff --git a/doc/TODO b/doc/TODO
index 9fa0bfe5..9e4f5fa8 100644
--- a/doc/TODO
+++ b/doc/TODO
@@ -33,7 +33,6 @@ BUGS:
 
 NICE TO HAVE:
 - export site
-
 - super_finder
 - traffic statistics
 - asset picker (content instance)
diff --git a/lib/locomotive/liquid/filters/html.rb b/lib/locomotive/liquid/filters/html.rb
index 2575c2ff..e67127d4 100644
--- a/lib/locomotive/liquid/filters/html.rb
+++ b/lib/locomotive/liquid/filters/html.rb
@@ -64,6 +64,7 @@ module Locomotive
         # example: 'about/myphoto.jpg' | theme_image # <img src="images/about/myphoto.jpg" />
         def theme_image_tag(input, *args)
           image_options = inline_options(args_to_options(args))
+
           "<img src=\"#{theme_image_url(input)}\" #{image_options}/>"
         end
 
@@ -71,6 +72,7 @@ module Locomotive
         # input: url of the image OR asset drop
         def image_tag(input, *args)
           image_options = inline_options(args_to_options(args))
+
           "<img src=\"#{get_url_from_asset(input)}\" #{image_options}/>"
         end
 
diff --git a/spec/controllers/admin/api_contents_controller_spec.rb b/spec/controllers/admin/api_contents_controller_spec.rb
index 2dbf2f19..f26883f1 100644
--- a/spec/controllers/admin/api_contents_controller_spec.rb
+++ b/spec/controllers/admin/api_contents_controller_spec.rb
@@ -7,6 +7,8 @@ describe Admin::ApiContentsController do
     @site.content_types.first.tap do |content_type|
       content_type.content_custom_fields.build :label => 'Name', :kind => 'string', :required => true
       content_type.content_custom_fields.build :label => 'Description', :kind => 'text'
+      content_type.content_custom_fields.build :label => 'File', :kind => 'file'
+      content_type.content_custom_fields.build :label => 'Active', :kind => 'boolean'
     end.save
 
     controller.stubs(:require_site).returns(true)
@@ -64,6 +66,15 @@ describe Admin::ApiContentsController do
         content.name.should == "Hacked"
       end
 
+      it 'does not sanitize non string params' do
+        lambda {
+          post 'create', default_post_params(:content => {
+            :active => true,
+            :file => ActionDispatch::Http::UploadedFile.new(:tempfile => FixturedAsset.open('5k.png'), :filename => '5k.png', :content_type => 'image/png')
+          })
+        }.should_not raise_exception
+      end
+
     end
 
   end