You are here: Operations > Stores > Permissions > Content
Magento Open Source, 1.9.x

Magento 1.x Security Patch Notice
For Magento Open Source 1.5 to 1.9, Magento is providing software security patches through June 2020 to ensure those sites remain secure and compliant. Visit our information page for more details about our software maintenance policy and other considerations for your business.

Content Permissions

As a security measure, Magento includes a whitelist of content that can be referenced by custom modules and extensions. Some implementations such as blog extensions, reference content that can be accessed only if the directive is in the whitelist. For example, a module or extension might include the following markup tags on CMS pages or in email templates. For an example, see: Listing Categories On Home Page.

  • Commonly Used Directives

    {{config path=”web/unsecure/base_url”}}

    {{block type=rss/order_new}}

You can add the most commonly used variable and block references to the whitelist from the Admin. If not included in the list of allowed directives, it must be added to the database installation script on the server. Some configuration variables or blocks can be added to the whitelist only by running a data update script that lists each additional directive.

  • Variable and Block Names in Script

    permission_variable

    permission_block


Allowed Variables
ClosedTo add a variable to the whitelist:
1. On the Admin menu, select System > Permissions. Then, choose Variables.
2. Click the Add New Variable button.

Variable Details
3. Enter the Variable Name.
4. Set Is Allowed to “Yes.”
5. When complete, click Save Variable.
ClosedTo add a block to the whitelist:
1. On the Admin menu, select System > Permissions. Then, choose Blocks.
2. Click the Add New Block button.

Block Details
3. Enter the Block Name.
4. Set Is Allowed to “Yes.”
5. When complete, click Save Block
  • Allowed Directives

    Content References

    Variables

    web/unsecure/base_url

    web/secure/base_url

    trans_email/ident_support/name

    trans_email/ident_support/email

    trans_email/ident_general/name

    trans_email/ident_sales/name

    trans_email/ident_sales/email

    trans_email/ident_custom1/name

    trans_email/ident_custom1/email

    trans_email/ident_custom2/name

    trans_email/ident_custom2/email

    general/store_information/name

    general/store_information/phone

    general/store_information/address

    Blocks

    core/template

    catalog/product_new


Copyright © 2019Magento, Inc. All rights reserved.