From 91076f21d0215112c3ea0a607f00a039e24dc18d Mon Sep 17 00:00:00 2001
From: benjaoming <benjaoming@gmail.com>
Date: Fri, 1 Feb 2013 14:08:16 +0100
Subject: [PATCH] security fix for macro plugin, add plugins.acros to
 testproject

---
 testproject/testproject/settings.py        | 1 +
 wiki/plugins/macros/markdown_extensions.py | 6 +++++-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/testproject/testproject/settings.py b/testproject/testproject/settings.py
index bf08e3c5..75514505 100644
--- a/testproject/testproject/settings.py
+++ b/testproject/testproject/settings.py
@@ -109,6 +109,7 @@ INSTALLED_APPS = (
     'wiki.plugins.images',
     'wiki.plugins.attachments',
     'wiki.plugins.notifications',
+    'wiki.plugins.macros',
     'mptt',
     #'haystack',
 )
diff --git a/wiki/plugins/macros/markdown_extensions.py b/wiki/plugins/macros/markdown_extensions.py
index 14bcb842..2d57b75c 100644
--- a/wiki/plugins/macros/markdown_extensions.py
+++ b/wiki/plugins/macros/markdown_extensions.py
@@ -18,13 +18,17 @@ class MacroExtension(markdown.Extension):
 class MacroPreprocessor(markdown.preprocessors.Preprocessor):
     """django-wiki macro preprocessor - parse text for various [some_macro] and 
     [some_macro:arg] references. """
-
+    
+    allowed_methods = ('article_list',)
+    
     def run(self, lines):
         new_text = []
         for line in lines:
             m = MACRO_RE.match(line)
             if m:
                 macro = m.group('macro').strip()
+                if not macro in MacroPreprocessor.allowed_methods:
+                    continue
                 arg = m.group('arg')
                 if arg:
                     arg = arg.strip()
-- 
2.45.2