From ae45493e6ee00afb599bcda1d75e58f216689d4e Mon Sep 17 00:00:00 2001
From: Kevin Chung <kchung@nyu.edu>
Date: Wed, 14 Jun 2017 13:57:46 -0400
Subject: [PATCH] Giving config page more access (#279)

* Giving a plugin's config page more control
* Adding utils to base

This potentially opens some risk to malicious plugins but really a
plugin would already have this capability given that it can run
arbitrary Python code.
---
 CTFd/admin/__init__.py         | 2 +-
 CTFd/templates/admin/base.html | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/CTFd/admin/__init__.py b/CTFd/admin/__init__.py
index bf570529..69ef8b52 100644
--- a/CTFd/admin/__init__.py
+++ b/CTFd/admin/__init__.py
@@ -42,7 +42,7 @@ def admin_plugin_config(plugin):
     if request.method == 'GET':
         if plugin in utils.get_configurable_plugins():
             config = open(os.path.join(app.root_path, 'plugins', plugin, 'config.html')).read()
-            return render_template('admin/page.html', content=config)
+            return render_template_string(config)
         abort(404)
     elif request.method == 'POST':
         for k, v in request.form.items():
diff --git a/CTFd/templates/admin/base.html b/CTFd/templates/admin/base.html
index 543e7dbc..0ba60a01 100644
--- a/CTFd/templates/admin/base.html
+++ b/CTFd/templates/admin/base.html
@@ -78,6 +78,7 @@
 		<script src="{{ request.script_root }}/static/admin/js/vendor/marked.min.js"></script>
 		<script src="{{ request.script_root }}/static/admin/js/vendor/bootstrap.min.js"></script>
 		<script src="{{ request.script_root }}/static/admin/js/main.js"></script>
+		<script src="{{ request.script_root }}/static/admin/js/utils.js"></script>
 		{% block scripts %} {% endblock %}
 </body>