fix issue #201

2011-09-14 11:32:14 +02:00 · 2011-09-14 11:32:14 +02:00 · 8dfefe5094
commit 8dfefe5094
parent efc843c2d9
4 changed files with 14 additions and 1 deletions
--- a/app/controllers/admin/api_contents_controller.rb
+++ b/app/controllers/admin/api_contents_controller.rb
@ -50,6 +50,7 @@ module Admin

    def sanitize_content_params
      (params[:content] || {}).each do |key, value|
+        next unless value.is_a?(String)
        params[:content][key] = Sanitize.clean(value, Sanitize::Config::BASIC)
      end
    end
--- a/doc/TODO
+++ b/doc/TODO
@ -33,7 +33,6 @@ BUGS:

 NICE TO HAVE:
 - export site
-
 - super_finder
 - traffic statistics
 - asset picker (content instance)
--- a/lib/locomotive/liquid/filters/html.rb
+++ b/lib/locomotive/liquid/filters/html.rb
@ -64,6 +64,7 @@ module Locomotive
        # example: 'about/myphoto.jpg' | theme_image # <img src="images/about/myphoto.jpg" />
        def theme_image_tag(input, *args)
          image_options = inline_options(args_to_options(args))
+
          "<img src=\"#{theme_image_url(input)}\" #{image_options}/>"
        end

@ -71,6 +72,7 @@ module Locomotive
        # input: url of the image OR asset drop
        def image_tag(input, *args)
          image_options = inline_options(args_to_options(args))
+
          "<img src=\"#{get_url_from_asset(input)}\" #{image_options}/>"
        end

--- a/spec/controllers/admin/api_contents_controller_spec.rb
+++ b/spec/controllers/admin/api_contents_controller_spec.rb
@ -7,6 +7,8 @@ describe Admin::ApiContentsController do
    @site.content_types.first.tap do |content_type|
      content_type.content_custom_fields.build :label => 'Name', :kind => 'string', :required => true
      content_type.content_custom_fields.build :label => 'Description', :kind => 'text'
+      content_type.content_custom_fields.build :label => 'File', :kind => 'file'
+      content_type.content_custom_fields.build :label => 'Active', :kind => 'boolean'
    end.save

    controller.stubs(:require_site).returns(true)
@ -64,6 +66,15 @@ describe Admin::ApiContentsController do
        content.name.should == "Hacked"
      end

+      it 'does not sanitize non string params' do
+        lambda {
+          post 'create', default_post_params(:content => {
+            :active => true,
+            :file => ActionDispatch::Http::UploadedFile.new(:tempfile => FixturedAsset.open('5k.png'), :filename => '5k.png', :content_type => 'image/png')
+          })
+        }.should_not raise_exception
+      end
+
    end

  end