Changesets can be listed by changeset number.
The Git repository is here.
- Revision:
- 451
- Log:
Tighten up filtering of Textile and HTML markup in forum posts, given
that spammers now sometimes get in and make posts. Use the mechanism
therein to fix Ticket #354, albeit at some significant speed penalty;
this occurs only when new posts are created or old posts are edited
and isn't too large compared with the wider request activity, for
typical length posts.
- Author:
- rool
- Date:
- Wed Sep 04 09:21:32 +0100 2013
- Size:
- 3236 Bytes
1 | # Be sure to restart your web server when you modify this file. |
2 | |
3 | # Uncomment below to force Rails into production mode when |
4 | # you don't control web/app server and can't set it the proper way |
5 | # ENV['RAILS_ENV'] ||= 'production' |
6 | |
7 | # Rails Gem Version |
8 | RAILS_GEM_VERSION = '1.2.6' unless defined? RAILS_GEM_VERSION |
9 | |
10 | # Bootstrap the Rails environment, frameworks, and default configuration |
11 | require File.join(File.dirname(__FILE__), 'boot') |
12 | |
13 | Rails::Initializer.run do |config| |
14 | # Settings in config/environments/* take precedence those specified here |
15 | |
16 | # Skip frameworks you're not going to use (only works if using vendor/rails) |
17 | config.frameworks -= [ :action_web_service ] |
18 | |
19 | # Add additional load paths for your own custom dirs |
20 | # config.load_paths += %W( #{RAILS_ROOT}/extras ) |
21 | |
22 | # Force all environments to use the same logger level |
23 | # (by default production uses :info, the others :debug) |
24 | config.log_level = :warn |
25 | |
26 | # Use the database for sessions instead of the file system |
27 | # (create the session table with 'rake db:sessions:create') |
28 | config.action_controller.session_store = :active_record_store |
29 | |
30 | # Use SQL instead of Active Record's schema dumper when creating the test database. |
31 | # This is necessary if your schema can't be completely dumped by the schema dumper, |
32 | # like if you have constraints or database-specific column types |
33 | # config.active_record.schema_format = :sql |
34 | |
35 | # Activate observers that should always be running |
36 | # config.active_record.observers = :cacher, :garbage_collector |
37 | |
38 | # Make Active Record use UTC-base instead of local time |
39 | config.active_record.default_timezone = :utc |
40 | |
41 | # See Rails::Configuration for more options |
42 | end |
43 | |
44 | # Add new inflection rules using the following format |
45 | # (all these examples are active by default): |
46 | # Inflector.inflections do |inflect| |
47 | # inflect.plural /^(ox)$/i, '\1en' |
48 | # inflect.singular /^(ox)en/i, '\1' |
49 | # inflect.irregular 'person', 'people' |
50 | # inflect.uncountable %w( fish sheep ) |
51 | # end |
52 | |
53 | # Include your application configuration below |
54 | |
55 | ActionController::CgiRequest::DEFAULT_SESSION_OPTIONS[:session_key] = 'beastapp_session_id' |
56 | |
57 | PASSWORD_SALT = '59f34ac7f486c440ab342d26eff45531' unless Object.const_defined?(:PASSWORD_SALT) |
58 | |
59 | Module.class_eval do |
60 | def expiring_attr_reader(method_name, value) |
61 | class_eval(<<-EOS, __FILE__, __LINE__) |
62 | def #{method_name} |
63 | class << self; attr_reader :#{method_name}; end |
64 | @#{method_name} = eval(%(#{value})) |
65 | end |
66 | EOS |
67 | end |
68 | end |
69 | |
70 | # 2013-09-04 (ADH): A custom vendor/plugins/white_list implementation |
71 | # allows for empty attributes lists, meaning "pass all". We use its |
72 | # block parameter to pass a custom block too. This checks the bad_tags |
73 | # list set up below and returns the HTML escaped result. Otherwise it |
74 | # lets it through. That way, we turn white listing into black listing, |
75 | # as in general forum users are trusted, but in the last year or so a |
76 | # number of spammers have got through the Hub captcha and shown that |
77 | # users aren't quite as trustworthy as they used to be. |
78 | |
79 | WhiteListHelper.attributes = Set.new() |
80 | WhiteListHelper.tags = Set.new() # So everything is passed to the custom block as if 'bad' |
81 | |
82 | WhiteListHelper.bad_tags.merge(%w(object param embed frame iframe)) |