ylqjgm
/
canvas-lms
mirror of https://github.com/instructure/canvas-lms.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
canvas-lms/vendor/plugins/sanitize_field
History
Brian Palmer 70639150ba api: translate absolute paths to full urls with the canvas host 
This fixes image links to /equation_images/X, among other things.

As part of this, I refactored the attachment.rb secure setting to be a
domain.yml (HostUrl) setting that can be used app-wide to determine
whether to use http or https when the code doesn't have access to a Request.

Fixes #8784

I also started down the road of having notification emails/sms/etc use
https links instead of http, but there is still work to do there, refs #9190

test plan: Use the rich text editor to post to a discussion or any other
rich text field that can be retrieved via the api, and include an
equation using the equation editor. Then retrieve that post through the
api, and verify that the url to the equation image includes the canvas
hostname and protocol (http://canvas.example.com/equation_images/X
instead of just /equation_images/X)

Change-Id: Iac28bf99d2d3b33c17d5b3eb128aa6d8488570fe
Reviewed-on: https://gerrit.instructure.com/11867
Tested-by: Jenkins <jenkins@instructure.com>
Reviewed-by: Simon Williams <simon@instructure.com>
 		2012-07-02 09:53:59 -06:00
..
lib api: translate absolute paths to full urls with the canvas host 2012-07-02 09:53:59 -06:00
README Initial commit. 2011-01-31 18:57:29 -07:00
Rakefile get rid of rdoctask deprecation warnings 2012-04-18 13:50:42 -06:00
init.rb Initial commit. 2011-01-31 18:57:29 -07:00

README

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

SanitizeField
=============

We want to be able to mix model fields with Sanitize configuration and
implement a sanitization in a before_save callback.

An alternative to this plugin might be using a Rails whitelist.  This
isn't developed, but is an idea on http://wonko.com/post/sanitize

  Rails::Initializer.run do |config|
    config.action_view.white_list_sanitizer = Sanitizer.new
    config.action_view.sanitized_allowed_tags = table, tr, td
    config.action_view.sanitized_allowed_attributes = id, class, style
  end

Our approach is finer-grained, and should work better for now at least.
There is also talk about an alternative 1.9/nokogiri approach to the
Sanitizer gem for more optimal performance.  Keeping our eyes open
about these issues.

Example
=======

class BasicExample < ActiveRecord::Base
  sanitize :body, Sanitize::Config::RELAXED
end

class Whatever < ActiveRecord::Base
  sanitize :body, :title, :elements => ['a', 'span'],
    :attributes => {'a' => ['href', 'title'], 'span' => ['class']},
    :protocols => {'a' => {'href' => ['http', 'https', 'mailto']}}
end

License
=======

Copyright (C) 2011 Instructure, Inc.

This file is part of Canvas.

Canvas is free software: you can redistribute it and/or modify it under
the terms of the GNU Affero General Public License as published by the Free
Software Foundation, version 3 of the License.

Canvas is distributed in the hope that it will be useful, but WITHOUT ANY
WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
details.

You should have received a copy of the GNU Affero General Public License along
with this program. If not, see <http://www.gnu.org/licenses/>.