ylqjgm
/
canvas-lms
mirror of https://github.com/instructure/canvas-lms.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
40,621 Commits 324 Branches 20,019 Tags 1.7 GiB
Ruby 51.2%
JavaScript 33.7%
TypeScript 10.3%
HTML 2.5%
SCSS 1.3%
Other 1%
Go to file
Alex Anderson b5389273af Add JavaScript to sanitize user generated CSS 
On every page, a mutation observer is created for the `#content` element.
Whenever stuff is added to the page, it will run a little sanitize script.

This goes to every `.user_content` element, loops through all of the
children, and checks to see if it has `position:fixed` applied to it.
If it does, it replaces it with `position:relative`.

See the attached JIRA for an explanation of the security vulnerability
this fixes.

Test Plan:
In an RCE on any page, include the following iframe content:

```<iframe style="position: fixed;
left: 0;
top: 0;
right: 0;
width: 100vw;
height: 100vh;"
src="https://www.badgerbadgerbadger.com/"></iframe>```

Save it and navigate to the page which renders your content.
If you see badgers across the entire page, this commit failed.

Fixes SEC-2876
Refs LS-743

flags=none

Change-Id: I11bedc6946e851085503e87f892d3f9edac64bd5
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/243025
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Product-Review: Peyton Craighill <pcraighill@instructure.com>
Reviewed-by: Ed Schiebel <eschiebel@instructure.com>
QA-Review: Robin Kuss <rkuss@instructure.com>
 		2020-07-23 20:40:51 +00:00
.github Remove some folks from GH autoassign 2020-06-11 16:12:34 +00:00
Gemfile.d add shard/cluster data to DJ logs 2020-07-10 22:42:48 +00:00
app Add JavaScript to sanitize user generated CSS 2020-07-23 20:40:51 +00:00
bin spec: revert pact scripts in bin/ to use web 2020-05-15 19:47:55 +00:00
build spec: uprade chrome to 84 2020-07-22 21:05:34 +00:00
client_apps Change canvas_quizzes dependencies to use https:// instead of git:// 2020-06-30 21:41:15 +00:00
config Remove student planner feature flag 2020-07-23 18:59:09 +00:00
db/migrate add outcome calculation method model 2020-07-22 17:53:42 +00:00
doc doc: update docs for new ldb variable substitution 2020-07-16 16:04:11 +00:00
docker-compose spec: uprade chrome to 84 2020-07-22 21:05:34 +00:00
frontend_build increase maxAssetSize temporarily 2020-07-17 16:35:32 +00:00
gems spec: fix flakey spec 2020-07-21 16:18:49 +00:00
hooks fix pre-commit hook with unfixable eslint error 2018-11-27 23:28:12 +00:00
jest Make type filter searchable on courses main list 2020-05-19 01:24:11 +00:00
lib Remove student planner feature flag 2020-07-23 18:59:09 +00:00
log Alpine canvas-lms based image 2020-07-15 17:21:56 +00:00
packages Add a flag to disable toast notification timeouts 2020-07-23 18:24:30 +00:00
pact Include context_name in planner item response 2018-08-29 22:20:52 +00:00
public add text to link in speedgrader 2020-07-22 21:13:12 +00:00
script remove skipping linters if whitelisted engineer 2020-05-08 15:17:49 +00:00
spec progress modules by default for 1.3 submissions 2020-07-23 20:21:23 +00:00
tmp Alpine canvas-lms based image 2020-07-15 17:21:56 +00:00
.bowerrc introduced bower to manage js dependencies 2013-12-13 17:45:57 +00:00
.codeclimate.yml disable ESLint in code climate 2017-02-14 17:47:39 +00:00
.dive-ci Spec: Add dive build 2020-03-26 14:52:06 +00:00
.dockerignore Alpine canvas-lms based image 2020-07-15 17:21:56 +00:00
.editorconfig Add EditorConfig configuration file to help maintain code style 2016-11-15 20:08:55 +00:00
.eslintignore Run prettier on packages/ 2019-10-11 19:29:16 +00:00
.eslintrc.js update build to load es modules from subpackages 2020-06-03 13:41:38 +00:00
.gitignore Alpine canvas-lms based image 2020-07-15 17:21:56 +00:00
.gitmessage prepend some blank lines to .gitmessage 2019-08-09 16:12:53 +00:00
.i18nignore bump rails 3 to github branch for ruby 2.2 compatibility 2015-02-18 22:55:20 +00:00
.i18nrc upgrade to node 6 2016-08-09 23:37:07 +00:00
.lintstagedrc.js Remove prettier whitelist 2019-10-11 19:29:31 +00:00
.npmrc fix brand config previewing and skipping 2015-10-27 16:16:15 +00:00
.nvmrc require node 10.16 for brotli support 2020-04-03 19:48:37 +00:00
.prettierrc Add .prettierrc so it matches our existing code 2017-11-03 16:21:50 +00:00
.rubocop.yml Remove duplicated config in .rubocop.yml 2020-01-30 22:41:56 +00:00
.stylelintrc Lint for css that will break RTL 2018-10-17 20:21:25 +00:00
.travis.yml more travis builds 2014-02-10 16:23:19 +00:00
CONTRIBUTING.md Add CLA FAQ from legal 2018-01-22 16:41:44 -05:00
COPYRIGHT Initial commit. 2011-01-31 18:57:29 -07:00
Dockerfile Alpine canvas-lms based image 2020-07-15 17:21:56 +00:00
Dockerfile.githook Add precommit hook for auto fixing files 2018-11-27 21:07:31 +00:00
Dockerfile.package-translations Create shared translation infrastructure for packages 2019-11-06 22:42:03 +00:00
Gemfile drop rails 5.1 2019-08-01 14:09:31 +00:00
Jenkinsfile ignore skip-docker-build flag on change-merged 2020-07-22 21:40:05 +00:00
Jenkinsfile.contract-tests use shared library for configuration 2020-06-18 18:36:49 +00:00
Jenkinsfile.dive protect against retriable errors in docker pull 2020-07-02 14:03:48 +00:00
Jenkinsfile.js protect JS jobs against spot instance failures 2020-07-22 21:40:35 +00:00
Jenkinsfile.master-bouncer-check-all use shared library for configuration 2020-06-18 18:36:49 +00:00
Jenkinsfile.package-translations use shared library for configuration 2020-06-18 18:36:49 +00:00
Jenkinsfile.selenium.flakey_spec_catcher spec: uprade chrome to 84 2020-07-22 21:05:34 +00:00
Jenkinsfile.selenium.performance.chrome spec: uprade chrome to 84 2020-07-22 21:05:34 +00:00
Jenkinsfile.test-subbuild use shared library for configuration 2020-06-18 18:36:49 +00:00
Jenkinsfile.vendored-gems use shared library for configuration 2020-06-18 18:36:49 +00:00
Jenkinsfile.xbrowser use shared library for configuration 2020-06-18 18:36:49 +00:00
LICENSE Initial commit. 2011-01-31 18:57:29 -07:00
README.md Update README.md since Canvas is still modern 2016-12-15 03:18:28 +00:00
Rakefile use parallel_tests for more parallelization 2020-03-30 21:38:47 +00:00
babel.config.js Fix the build 2019-09-17 21:26:07 +00:00
bower.json Move k5uplodaer to /packages 2019-05-10 18:30:51 +00:00
code_of_conduct.md contributor code of conduct 2014-12-23 18:13:59 +00:00
config.ru remove extra logging to debug Passenger connection orphan issue 2017-07-14 16:27:03 +00:00
docker-compose.new-jenkins-flakey-spec-catcher.yml update fsc to go into the plugin directory to do tests 2020-06-17 14:58:09 +00:00
docker-compose.new-jenkins-karma.yml Alpine canvas-lms based image 2020-07-15 17:21:56 +00:00
docker-compose.new-jenkins-package-translations.yml Create shared translation infrastructure for packages 2019-11-06 22:42:03 +00:00
docker-compose.new-jenkins-selenium.yml upgrade to latest release of selenium docker image 2020-06-30 11:40:30 +00:00
docker-compose.new-jenkins.canvas.yml Spec: add `init: true` to jenkins builds 2020-06-16 14:09:58 +00:00
docker-compose.new-jenkins.consumer.yml abstract docker image tags to shared variable 2020-07-20 14:47:35 +00:00
docker-compose.new-jenkins.vendored-gems.yml Spec: add `init: true` to jenkins builds 2020-06-16 14:09:58 +00:00
docker-compose.new-jenkins.yml abstract docker image tags to shared variable 2020-07-20 14:47:35 +00:00
docker-compose.spring.yml remove unused selinimum gem 2020-04-23 17:25:57 +00:00
docker-compose.yml Remove DATABASE_URL from docker dev envs 2020-04-29 19:09:35 +00:00
gulpfile.js Remove IE11 polyfills 2020-06-05 19:17:51 +00:00
issue_template.md Make issue template disclaimer a comment 2018-05-01 15:00:27 +00:00
jest.config.js add conference ui to calendar details page 2020-04-30 18:06:11 +00:00
karma.conf.js Allow forcing a failure in each JS stage 2020-01-20 21:18:25 +00:00
package.json Change inbox avatar to use inst-ui 2020-07-01 17:22:03 +00:00
ruby.Dockerfile Alpine canvas-lms based image 2020-07-15 17:21:56 +00:00
ubuntu.development.Dockerfile Alpine canvas-lms based image 2020-07-15 17:21:56 +00:00
ubuntu.production.Dockerfile Alpine canvas-lms based image 2020-07-15 17:21:56 +00:00
webpack.config.js Opt our js build tooling dirs into prettier 2018-11-07 22:46:16 +00:00
webpack.test.config.js spec: split coffeescript job 2020-07-17 17:39:35 +00:00
yarn.lock Change inbox avatar to use inst-ui 2020-07-01 17:22:03 +00:00

README.md

Canvas LMS

Canvas is a modern, open-source LMS developed and maintained by Instructure Inc. It is released under the AGPLv3 license for use by anyone interested in learning more about or using learning management systems.

Please see our main wiki page for more information

Installation

Detailed instructions for installation and configuration of Canvas are provided on our wiki.