Magento Community Edition, 1.9.x

Content Permissions

As a security measure, Magento includes a whitelist of content that can be referenced by custom modules and extensions. Some implementations such as blog extensions, reference content that can be accessed only if the directive is in the whitelist. For example, a module or extension might include the following markup tags on CMS pages or in email templates. For an example, see: Listing Categories On Home Page.

  • Commonly Used Directives

    {{config path=”web/unsecure/base_url”}}

    {{block type=rss/order_new}}

You can add the most commonly used variable and block references to the whitelist from the Admin. If not included in the list of allowed directives, it must be added to the database installation script on the server. Some configuration variables or blocks can be added to the whitelist only by running a data update script that lists each additional directive.

  • Variable and Block Names in Script

    permission_variable

    permission_block


Allowed Variables
  • Allowed Directives

    Content References

    Variables

    web/unsecure/base_url

    web/secure/base_url

    trans_email/ident_support/name

    trans_email/ident_support/email

    trans_email/ident_general/name

    trans_email/ident_sales/name

    trans_email/ident_sales/email

    trans_email/ident_custom1/name

    trans_email/ident_custom1/email

    trans_email/ident_custom2/name

    trans_email/ident_custom2/email

    general/store_information/name

    general/store_information/phone

    general/store_information/address

    Blocks

    core/template

    catalog/product_new