fixes a problem where internal links to wiki pages that
had titles that started with numbers would cause the
regular expressions to break
(also fixes a couple random typos and such)
test plan:
* create a wiki page with a title that starts with a
numeric character
* create a link to that wiki page (such as on another
wiki page)
* copy the course
* the copied course should have a correct link
fixes #CNVS-4158
Change-Id: I8c6a26feb4766e078f06656e7e26f381ae5934d5
Reviewed-on: https://gerrit.instructure.com/18064
Tested-by: Jenkins <jenkins@instructure.com>
Reviewed-by: Jeremy Stanley <jeremy@instructure.com>
QA-Review: Adam Phillipps <adam@instructure.com>
fixes#9345fixes#10702
test plan:
(for #9345)
* create a course with a file and an assignment
* put a link to the file in the assignment description
* make the link text also be the link to the file
you should have something like this:
<a href="/courses/XXX/files/YYY/download?wrap=1">/courses/XXX/files/YYY/download?wrap=1</a>
* export the course. the assignment export should succeed (no errors in the summary)
* import the export, and the assignment should be there
(for #10702)
* create a course with two assignments, each in separate assignment groups, and a file
* put a link to the file in the syllabus description, using the link itself as the
link text, as above
* export/import, and verify the assignment groups don't disappear
Change-Id: Icb0a8727a5d7f703bdf7646d98b72b2877246576
Reviewed-on: https://gerrit.instructure.com/13863
Tested-by: Jenkins <jenkins@instructure.com>
Reviewed-by: Bracken Mosbacker <bracken@instructure.com>
old UserContent.css_size was really weird about what it would accept and
when it would return a String vs. a Float. the times it returned a
Float, it would make api_user_content explode. fix that and add some
specs. the vulnerable code was exercised, among other places, in the
assignment json, which impacts gradebooks and other UI features.
fixes#9881
test-plan:
- create an assignment in a course
- in the assignment description, include the html
<object width='100%' />
- try and view the gradebook for the course
- it should not have an ajax request error
Change-Id: I02e824414013347730185fbf7f7fb94a951f3e77
Reviewed-on: https://gerrit.instructure.com/12895
Reviewed-by: Jacob Fugal <jacob@instructure.com>
Tested-by: Jenkins <jenkins@instructure.com>
This modifies the API to return information on the required user_content
params for api responses. The javascript then processes the api response
fields and replaces the user content with iframe posts to safefiles,
same as we do server-side in erb currently for user_content in non-api
responses. This is done before the html is inserted on the page.
The current implementation requires the api to respond with these extra
data attributes all the time, not just for in-app requests. This isn't
ideal, but other api users will safely ignore those extra data
attributes.
test plan: in a discussion, post a reply that contains an object or
embed tag. reload the page and verify that the flash or java or whatever
still appears. inspect the html, and check that it is contained inside
an iframe pointing to the safefiles domain, rather than embedded
directly on the main canvas domain.
Change-Id: I5f1c5f4f267f654ec339ee422f0743f33ee2564f
Reviewed-on: https://gerrit.instructure.com/12111
Reviewed-by: Simon Williams <simon@instructure.com>
Tested-by: Jenkins <jenkins@instructure.com>
test plan:
* create a course with a module that has an external tool link in it;
* link to the external tool from a wiki page (you'll need to do this
manually by copying the link from the modules page and taking the
path);
* create a new course and copy the first course's content into it;
* verify that the link exists in the wiki page and properly links to
the external tool.
Change-Id: Ia7a3169ba1deb9e42955b658a3bf26203d311e5d
Reviewed-on: https://gerrit.instructure.com/10997
Reviewed-by: Bracken Mosbacker <bracken@instructure.com>
Tested-by: Jenkins <jenkins@instructure.com>
Basic LTI links before could only be added as items in context
modules. This extends that functionality to also support inserting
Basic LTI links into rich content fields. There is no UI provided
for inserting these links, that comes in another commit.
test plan:
- create an external tool in a course with a specific url
- manually create a URL to
/courses/:id/external_tools/retrieve?url=<url>
- the tool should be loaded at the given url
Change-Id: I658b838b8c9a2a6826cf803fd41cb9924fb287ef
Reviewed-on: https://gerrit.instructure.com/5428
Tested-by: Hudson <hudson@instructure.com>
Reviewed-by: Bracken Mosbacker <bracken@instructure.com>
One in course copy, and one in common cartridge export.
refs #5739
Change-Id: I4ba016f643a22f0cf3f6dbbe6b00dcd7d228a10a
Reviewed-on: https://gerrit.instructure.com/5979
Tested-by: Hudson <hudson@instructure.com>
Reviewed-by: Bracken Mosbacker <bracken@instructure.com>
user_content will now work for any arbitrary RTE field, no matter if it
came from a column, a string nested three levels deep in a serialized
column, whatever.
let's call this technique "controlled XSS injection"
Change-Id: I56eed1f9b546ac7849dc60faa0f2b3801231131e
Reviewed-on: https://gerrit.instructure.com/3704
Reviewed-by: Brian Palmer <brianp@instructure.com>
Tested-by: Hudson <hudson@instructure.com>
James Williams