canvas-lms/lib/user_content.rb

module UserContent
  def self.escape(str)
    html = Nokogiri::HTML::DocumentFragment.parse(str)
    html.css('object,embed').each_with_index do |obj, idx|
      styles = {}
      params = {}
      obj.css('param').each do |param|
        params[param['key']] = param['value']
      end
      (obj['style'] || '').split(/\;/).each do |attr|
        key, value = attr.split(/\:/).map(&:strip)
        styles[key] = value
      end
      width = css_size(obj['width'])
      width ||= css_size(params['width'])
      width ||= css_size(styles['width'])
      width ||= '400px'
      height = css_size(obj['height'])
      height ||= css_size(params['height'])
      height ||= css_size(styles['height'])
      height ||= '300px'

      uuid = UUIDSingleton.instance.generate
      child = Nokogiri::XML::Node.new("iframe", html)
      child['class'] = 'user_content_iframe'
      child['name'] = uuid
      child['style'] = "width: #{width}; height: #{height}"
      child['frameborder'] = '0'

      form = Nokogiri::XML::Node.new("form", html)
      form['action'] = "//#{HostUrl.file_host(@domain_root_account || Account.default)}/object_snippet"
      form['method'] = 'post'
      form['class'] = 'user_content_post_form'
      form['target'] = uuid
      form['id'] = "form-#{uuid}"

      input = Nokogiri::XML::Node.new("input", html)
      input['type'] = 'hidden'
      input['name'] = 'object_data'
      snippet = Base64.encode64(obj.to_s).gsub("\n", '')
      input['value'] = snippet
      form.add_child(input)

      s_input = Nokogiri::XML::Node.new("input", html)
      s_input['type'] = 'hidden'
      s_input['name'] = 's'
      s_input['value'] = Canvas::Security.hmac_sha1(snippet)
      form.add_child(s_input)

      obj.replace(child)
      child.add_next_sibling(form)
    end
    html.css('img.equation_image').each do |node|
      mathml = Nokogiri::HTML::DocumentFragment.parse('<span class="hidden-readable">' + Ritex::Parser.new.parse(node.delete('alt').value) + '</span>') rescue next
      node.add_next_sibling(mathml)
    end

    html.to_s.html_safe
  end

  def self.css_size(val)
    res = val.to_f
    res = nil if res == 0
    res = (res + 10).to_s + "px" if res && res.to_s == val
    res
  end
end
modify user_content strategy, fixes #3676 user_content will now work for any arbitrary RTE field, no matter if it came from a column, a string nested three levels deep in a serialized column, whatever. let's call this technique "controlled XSS injection" Change-Id: I56eed1f9b546ac7849dc60faa0f2b3801231131e Reviewed-on: https://gerrit.instructure.com/3704 Reviewed-by: Brian Palmer <brianp@instructure.com> Tested-by: Hudson <hudson@instructure.com> 2011-05-20 05:39:43 +08:00			`module UserContent`
			`def self.escape(str)`
			`html = Nokogiri::HTML::DocumentFragment.parse(str)`
			`html.css('object,embed').each_with_index do \|obj, idx\|`
			`styles = {}`
			`params = {}`
			`obj.css('param').each do \|param\|`
			`params[param['key']] = param['value']`
			`end`
			`(obj['style'] \|\| '').split(/\;/).each do \|attr\|`
			`key, value = attr.split(/\:/).map(&:strip)`
			`styles[key] = value`
			`end`
			`width = css_size(obj['width'])`
			`width \|\|= css_size(params['width'])`
			`width \|\|= css_size(styles['width'])`
			`width \|\|= '400px'`
			`height = css_size(obj['height'])`
			`height \|\|= css_size(params['height'])`
			`height \|\|= css_size(styles['height'])`
			`height \|\|= '300px'`

			`uuid = UUIDSingleton.instance.generate`
			`child = Nokogiri::XML::Node.new("iframe", html)`
			`child['class'] = 'user_content_iframe'`
			`child['name'] = uuid`
			`child['style'] = "width: #{width}; height: #{height}"`
			`child['frameborder'] = '0'`

			`form = Nokogiri::XML::Node.new("form", html)`
			`form['action'] = "//#{HostUrl.file_host(@domain_root_account \|\| Account.default)}/object_snippet"`
			`form['method'] = 'post'`
			`form['class'] = 'user_content_post_form'`
			`form['target'] = uuid`
			`form['id'] = "form-#{uuid}"`

			`input = Nokogiri::XML::Node.new("input", html)`
			`input['type'] = 'hidden'`
			`input['name'] = 'object_data'`
			`snippet = Base64.encode64(obj.to_s).gsub("\n", '')`
			`input['value'] = snippet`
			`form.add_child(input)`

			`s_input = Nokogiri::XML::Node.new("input", html)`
			`s_input['type'] = 'hidden'`
			`s_input['name'] = 's'`
			`s_input['value'] = Canvas::Security.hmac_sha1(snippet)`
			`form.add_child(s_input)`

			`obj.replace(child)`
			`child.add_next_sibling(form)`
			`end`
mathml for screen readers, refs #4362 Change-Id: I833656291e55eab7c29dea46331cf096d47808d1 Reviewed-on: https://gerrit.instructure.com/3837 Tested-by: Hudson <hudson@instructure.com> Reviewed-by: Brian Whitmer <brian@instructure.com> 2011-05-25 03:12:22 +08:00			`html.css('img.equation_image').each do \|node\|`
			`mathml = Nokogiri::HTML::DocumentFragment.parse('<span class="hidden-readable">' + Ritex::Parser.new.parse(node.delete('alt').value) + '</span>') rescue next`
			`node.add_next_sibling(mathml)`
			`end`
modify user_content strategy, fixes #3676 user_content will now work for any arbitrary RTE field, no matter if it came from a column, a string nested three levels deep in a serialized column, whatever. let's call this technique "controlled XSS injection" Change-Id: I56eed1f9b546ac7849dc60faa0f2b3801231131e Reviewed-on: https://gerrit.instructure.com/3704 Reviewed-by: Brian Palmer <brianp@instructure.com> Tested-by: Hudson <hudson@instructure.com> 2011-05-20 05:39:43 +08:00
			`html.to_s.html_safe`
			`end`

			`def self.css_size(val)`
			`res = val.to_f`
			`res = nil if res == 0`
			`res = (res + 10).to_s + "px" if res && res.to_s == val`
			`res`
			`end`
			`end`