Custom HTML with position:fixed; is allowed in discussion posts - Githubissues

instructure / canvas-lms

The open LMS by Instructure, Inc.

https://github.com/instructure/canvas-lms/wiki

GNU Affero General Public License v3.0

5.6k stars 2.48k forks source link

Custom HTML with position:fixed; is allowed in discussion posts #1654

Open dpkn opened 4 years ago

dpkn commented 4 years ago

Summary:

Posts in discussions allow students to inject custom HTML with the position:fixed; attribute, allowing it to take over the whole page.

Steps to reproduce:

Start writing a new post in a discussion
Switch to HTML mode
Add the HTML, for example:
```
<h1 style="font-size: 10em; position: fixed; top: 0; left: 0; width:100%;height:100%;background:red;z-index: 9999999999;">hello</h1>
```
Expected behavior:

The position:fixed; will get stripped or the written HTML will be contained within the post borders.

Actual behavior:

The custom HTML is allowed to transcend the post borders, rendering the whole discussion page usesless for others.

Example

Abhisaran commented 2 years ago

Haha I just found this was possible today and was looking to submit an issue, you raced me to it 🥂