ylqjgm
/
canvas-lms
mirror of https://github.com/instructure/canvas-lms.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
canvas-lms/gems/canvas_sanitize
History
jake.oeding 90134300d2 allow width/height on source tags 
closes LF-1099
flag=none

test plan:
-find an RCE, toggle to the html editor
-insert a source tag with width + height attributes
-toggle to normal editor and back to html editor
>confirm the width/height attributes weren't stripped
-save the page
-re-edit your content again
>confirm the width/height weren't stripped by the server

Change-Id: Iffc814b1a12479971ed00bda98b776a5c3a5b6de
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/335334
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Jacob DeWar <jacob.dewar@instructure.com>
QA-Review: Jacob DeWar <jacob.dewar@instructure.com>
Product-Review: Jake Oeding <jake.oeding@instructure.com>
 		2023-12-20 14:58:28 +00:00
..
lib allow width/height on source tags 2023-12-20 14:58:28 +00:00
spec re-enable data sources in various tags 2023-05-11 14:07:30 +00:00
Gemfile fix lockfile syncing from canvas lockfile to sub-gems 2023-05-09 22:57:42 +00:00
Gemfile.lock bundle update debug 2023-12-18 20:25:43 +00:00
README.md da licença part 53 2017-05-01 21:06:11 +00:00
Rakefile add frozen_string_literal comment to engines and gems 2021-03-30 18:14:15 +00:00
canvas_sanitize.gemspec switch from byebug to debug 2023-09-20 23:48:39 +00:00
test.sh simplify gem test harnesses 2016-01-19 17:52:58 +00:00

README.md

SanitizeField

We want to be able to mix model fields with Sanitize configuration and implement a sanitization in a before_save callback.

An alternative to this plugin might be using a Rails whitelist. This isn't developed, but is an idea on http://wonko.com/post/sanitize

Rails::Initializer.run do |config| config.action_view.white_list_sanitizer = Sanitizer.new config.action_view.sanitized_allowed_tags = table, tr, td config.action_view.sanitized_allowed_attributes = id, class, style end

Our approach is finer-grained, and should work better for now at least. There is also talk about an alternative 1.9/nokogiri approach to the Sanitizer gem for more optimal performance. Keeping our eyes open about these issues.

Example

class BasicExample < ActiveRecord::Base sanitize :body, Sanitize::Config::RELAXED end

class Whatever < ActiveRecord::Base sanitize :body, :title, :elements => ['a', 'span'], :attributes => {'a' => ['href', 'title'], 'span' => ['class']}, :protocols => {'a' => {'href' => ['http', 'https', 'mailto']}} end

License

Copyright (C) 2011 - present Instructure, Inc.

This file is part of Canvas.

Canvas is free software: you can redistribute it and/or modify it under the terms of the GNU Affero General Public License as published by the Free Software Foundation, version 3 of the License.

Canvas is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more details.

You should have received a copy of the GNU Affero General Public License along with this program. If not, see http://www.gnu.org/licenses/.