Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

Fixed style gauntlet regex to allow for negative values such as margin:-18px #227

Merged
merged 2 commits into from

3 participants

@jbasdf

A similar commit was made to the source from which this regular expression was derived:
joncalhoun/loofah@ca618fc

This change will permit styles with negative values.

@bracken

you have to do a contributor agreement, so the 'contributing' section: https://github.com/instructure/canvas-lms/wiki

and it should be pretty easy to add a spec for this here: https://github.com/instructure/canvas-lms/blob/stable/spec/lib/sanitize_spec.rb

@bracken

use your github username, and the project is 'canvas-lms'. :)

@inderps inderps referenced this pull request from a commit in camfed/canvas-lms
Inderpal Singh #227 <Tejinder/IPS> Added the controller to handle quiz api requests 0e32c89
@tejinders tejinders referenced this pull request from a commit in camfed/canvas-lms
Tejinder #227 [IPS/Tejinder] Added pagination b034b99
@tejinders tejinders referenced this pull request from a commit in camfed/canvas-lms
Tejinder #227 [IPS/Tejinder] Added quiz type filter. fea9519
@tejinders tejinders referenced this pull request from a commit in camfed/canvas-lms
Tejinder #227 [IPS/Tejinder] Added assignment group id filter. f325c94
@tejinders tejinders referenced this pull request from a commit in camfed/canvas-lms
Tejinder #227 [IPS/Tejinder] Added handling for invalid assignment group. dbc8364
@tejinders tejinders referenced this pull request from a commit in camfed/canvas-lms
Tejinder #227 [IPS/Tejinder] Added documentation for quizzes_api_controller. 6e33216
@tejinders tejinders referenced this pull request from a commit in camfed/canvas-lms
Tejinder #227 [IPS/Tejinder] Added ordering by due date. 2115158
@tejinders tejinders referenced this pull request from a commit in camfed/canvas-lms
Tejinder #227 [IPS/Tejinder] Updated docs to include due date. 2fda725
@ccutrer ccutrer referenced this pull request from a commit
Commit has since been removed from the repository and is no longer available.
@ccutrer ccutrer merged commit 7b22939 into instructure:stable
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
This page is out of date. Refresh to see the latest.
View
7 spec/lib/sanitize_spec.rb
@@ -74,6 +74,13 @@
res.should match(/width/)
end
+ it "should allow negative values" do
+ str = "<div style='margin: -18px;height: 10px;'></div>"
+ res = Sanitize.clean(str, Instructure::SanitizeField::SANITIZE)
+ res.should match(/margin/)
+ res.should match(/height/)
+ end
+
it "should remove non-whitelisted css attributes" do
str = "<div style='bacon: 5px; border-left-color: #fff;'></div>"
res = Sanitize.clean(str, Instructure::SanitizeField::SANITIZE)
View
2  vendor/plugins/sanitize_field/lib/sanitize_field.rb
@@ -34,7 +34,7 @@ def self.sanitize_style(env)
style = node['style'] || ""
# taken from https://github.com/flavorjones/loofah/blob/master/lib/loofah/html5/scrub.rb
# the gauntlet
- style = '' unless style =~ /\A([:,\;#%.\(\)\/\sa-zA-Z0-9!]|\w-\w|\'[\s\w]+\'|\"[\s\w]+\"|\([\d,\s]+\))*\z/
+ style = '' unless style =~ /\A([-:,\;#%.\(\)\/\sa-zA-Z0-9!]|\w-\w|\'[\s\w]+\'|\"[\s\w]+\"|\([\d,\s]+\))*\z/
style = '' unless style =~ /\A\s*([-\w]+\s*:[^\;]*(\;\s*|$))*\z/
config = env[:config]
Something went wrong with that request. Please try again.