Magento Commerce, 1.14.x

Content Permissions

As a security measure, Magento includes a whitelist of content that can be referenced by custom modules and extensions. Some implementations such as blog extensions, reference content that can be accessed only if the directive is in the whitelist. For example, a module or extension might include the following markup tags on CMS pages or in email templates. For an example, see: Category List on Home Page.

  • Commonly Used Directives

    {{config path=”web/unsecure/base_url”}}

    {{block type=rss/order_new}}

You can add the most commonly used variable and block references to the whitelist from the Admin. If not included in the list of allowed directives, it must be added to the database installation script on the server. Some configuration variables or blocks can be added to the whitelist only by running a data update script that lists each directive.

  • Variable and Block Names in Script

    permission_variable

    permission_block


Allowed Variables
Allowed Directives

Content References

Variables

web/unsecure/base_url

web/secure/base_url

trans_email/ident_support/name

trans_email/ident_support/email

trans_email/ident_general/name

trans_email/ident_sales/name

trans_email/ident_sales/email

trans_email/ident_custom1/name

trans_email/ident_custom1/email

trans_email/ident_custom2/name

trans_email/ident_custom2/email

general/store_information/name

general/store_information/phone

general/store_information/address

Blocks

core/template

catalog/product_new

enterprise_catalogevent/event_lister