ylqjgm
/
canvas-lms
mirror of https://github.com/instructure/canvas-lms.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
canvas-lms/gems/canvas_sanitize
History
Jackson Howe 53d433019b Increase depth limit for syllabus 
User content with deeply nested html elements couldn't be parsed by
Nokogiri when the depth exceeded the DEFAULT_MAX_TREE_DEPTH of 400.
The depth limit has already been increased in other places (quizzes,
wiki pages), so we'll do the same for syllabus content to prevent making
the entire syllabus inaccessible if deeply nested content is saved. This
change also prevents content that can't be parsed from being saved in
the syllabus.

fixes LS-3114
flag = none

Test plan:
 - Get my document with deeply-nested html and save the content to a
   course's syllabus_body in a rails console
 - Go to that course's syllabus in the UI
 - Expect the page to load fine
 - Lower the max_tree_depth constant in
   gems/canvas_sanitize/lib/canvas_sanitize/canvas_sanitize.rb (L75) to 1
 - Restart rails server
 - In a new course, go to the syllabus and in the html editor, paste
   <div><div><p>hi</p></div></div>
 - Click save and expect to get a 4xx response

Change-Id: Ib97ab86c102162f8efdc29c1122e0aa6d9801026
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/289992
Reviewed-by: Eric Saupe <eric.saupe@instructure.com>
QA-Review: Eric Saupe <eric.saupe@instructure.com>
Product-Review: Jackson Howe <jackson.howe@instructure.com>
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
 		2022-04-20 19:38:27 +00:00
..
lib Increase depth limit for syllabus 2022-04-20 19:38:27 +00:00
spec RuboCop: Style/StringLiterals, Style/StringLiteralsInInterpolation 2021-11-25 14:03:06 +00:00
Gemfile RuboCop: Style/StringLiterals, Style/StringLiteralsInInterpolation 2021-11-25 14:03:06 +00:00
README.md da licença part 53 2017-05-01 21:06:11 +00:00
Rakefile add frozen_string_literal comment to engines and gems 2021-03-30 18:14:15 +00:00
canvas_sanitize.gemspec RuboCop: Style/StringLiterals, Style/StringLiteralsInInterpolation 2021-11-25 14:03:06 +00:00
test.sh simplify gem test harnesses 2016-01-19 17:52:58 +00:00

README.md

SanitizeField

We want to be able to mix model fields with Sanitize configuration and implement a sanitization in a before_save callback.

An alternative to this plugin might be using a Rails whitelist. This isn't developed, but is an idea on http://wonko.com/post/sanitize

Rails::Initializer.run do |config| config.action_view.white_list_sanitizer = Sanitizer.new config.action_view.sanitized_allowed_tags = table, tr, td config.action_view.sanitized_allowed_attributes = id, class, style end

Our approach is finer-grained, and should work better for now at least. There is also talk about an alternative 1.9/nokogiri approach to the Sanitizer gem for more optimal performance. Keeping our eyes open about these issues.

Example

class BasicExample < ActiveRecord::Base sanitize :body, Sanitize::Config::RELAXED end

class Whatever < ActiveRecord::Base sanitize :body, :title, :elements => ['a', 'span'], :attributes => {'a' => ['href', 'title'], 'span' => ['class']}, :protocols => {'a' => {'href' => ['http', 'https', 'mailto']}} end

License

Copyright (C) 2011 - present Instructure, Inc.

This file is part of Canvas.

Canvas is free software: you can redistribute it and/or modify it under the terms of the GNU Affero General Public License as published by the Free Software Foundation, version 3 of the License.

Canvas is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more details.

You should have received a copy of the GNU Affero General Public License along with this program. If not, see http://www.gnu.org/licenses/.