A11y: Allow the insertion of MathML via the HTML editor

Fixes CNVS-28473

Test plan:
- Visit a page with an editor
- Switch to the HTML view.
- Insert MathML.
- Switch to and from the RCE editor and HTML editor.
- Verify that the MathML remains unchanged.
- Insure that it is not removed or otherwise redacted on save.

Change-Id: I46d55505518f0427fa342eff175a58bdcb0c5284
Reviewed-on: https://gerrit.instructure.com/79588
Tested-by: Jenkins
Reviewed-by: Simon Williams <simon@instructure.com>
Product-Review: Aaron Cannon <acannon@instructure.com>
QA-Review: Pierce Arner <pierce@instructure.com>

Author: Aaron Cannon

gems/canvas_sanitize/lib/canvas_sanitize/canvas_sanitize.rb

@@ -80,7 +80,14 @@ def self.clean_style_value(config, value)
           'del', 'ins', 'iframe', 'font',
           'colgroup', 'dd', 'div', 'dl', 'dt', 'em', 'figure', 'figcaption', 'i', 'img', 'li', 'ol', 'p', 'pre',
           'q', 'small', 'source', 'span', 'strike', 'strong', 'sub', 'sup', 'table', 'tbody', 'td',
-          'tfoot', 'th', 'thead', 'tr', 'u', 'ul', 'object', 'embed', 'param', 'video', 'audio'],
+          'tfoot', 'th', 'thead', 'tr', 'u', 'ul', 'object', 'embed', 'param', 'video', 'audio',
+          # MathML
+          'annotation', 'annotation-xml', 'maction', 'maligngroup', 'malignmark', 'math',
+          'menclose', 'merror', 'mfenced', 'mfrac', 'mglyph', 'mi', 'mlabeledtr', 'mlongdiv',
+          'mmultiscripts', 'mn', 'mo', 'mover', 'mpadded', 'mphantom', 'mprescripts', 'mroot',
+          'mrow', 'ms', 'mscarries', 'mscarry', 'msgroup', 'msline', 'mspace', 'msqrt', 'msrow',
+          'mstack', 'mstyle', 'msub', 'msubsup', 'msup', 'mtable', 'mtd', 'mtext', 'mtr', 'munder',
+          'munderover', 'none', 'semantics'].freeze,
 
       :attributes => {
           :all => ['style',
@@ -128,42 +135,139 @@ def self.clean_style_value(config, value)
                    'aria-valuemax',
                    'aria-valuemin',
                    'aria-valuenow',
-                   'aria-valuetext',
-          ],
-          'a' => ['href', 'target', 'name'],
-          'blockquote' => ['cite'],
-          'col' => ['span', 'width'],
-          'colgroup' => ['span', 'width'],
-          'img' => ['align', 'alt', 'height', 'src', 'width'],
-          'iframe' => ['src', 'width', 'height', 'name', 'align', 'frameborder', 'scrolling', 'sandbox', 'allowfullscreen','webkitallowfullscreen','mozallowfullscreen'],
-          'ol' => ['start', 'type'],
-          'q' => ['cite'],
-          'table' => ['summary', 'width', 'border', 'cellpadding', 'cellspacing', 'center', 'frame', 'rules'],
-          'tr' => ['align', 'valign', 'dir'],
-          'td' => ['abbr', 'axis', 'colspan', 'rowspan', 'width', 'align', 'valign', 'dir'],
-          'th' => ['abbr', 'axis', 'colspan', 'rowspan', 'width', 'align', 'valign', 'dir', 'scope'],
-          'ul' => ['type'],
-          'param' => ['name', 'value'],
-          'object' => ['width', 'height', 'style', 'data', 'type', 'classid', 'codebase'],
-          'source' => ['src', 'type'],
-          'embed' => ['name', 'src', 'type', 'allowfullscreen', 'pluginspage', 'wmode', 'allowscriptaccess', 'width', 'height'],
-          'video' => ['name', 'src', 'allowfullscreen', 'muted', 'poster', 'width', 'height', 'controls'],
-          'audio' => ['name', 'src', 'muted'],
-          'font' => ['face', 'color', 'size'],
-      },
+                   'aria-valuetext'].freeze,
+          'a' => ['href', 'target', 'name'].freeze,
+          'blockquote' => ['cite'].freeze,
+          'col' => ['span', 'width'].freeze,
+          'colgroup' => ['span', 'width'].freeze,
+          'img' => ['align', 'alt', 'height', 'src', 'width'].freeze,
+          'iframe' => ['src', 'width', 'height', 'name', 'align', 'frameborder', 'scrolling',
+                       'sandbox', 'allowfullscreen','webkitallowfullscreen','mozallowfullscreen'].freeze,
+          'ol' => ['start', 'type'].freeze,
+          'q' => ['cite'].freeze,
+          'table' => ['summary', 'width', 'border', 'cellpadding', 'cellspacing', 'center', 'frame', 'rules'].freeze,
+          'tr' => ['align', 'valign', 'dir'].freeze,
+          'td' => ['abbr', 'axis', 'colspan', 'rowspan', 'width', 'align', 'valign', 'dir'].freeze,
+          'th' => ['abbr', 'axis', 'colspan', 'rowspan', 'width', 'align', 'valign', 'dir', 'scope'].freeze,
+          'ul' => ['type'].freeze,
+          'param' => ['name', 'value'].freeze,
+          'object' => ['width', 'height', 'style', 'data', 'type', 'classid', 'codebase'].freeze,
+          'source' => ['src', 'type'].freeze,
+          'embed' => ['name', 'src', 'type', 'allowfullscreen', 'pluginspage', 'wmode',
+                      'allowscriptaccess', 'width', 'height'].freeze,
+          'video' => ['name', 'src', 'allowfullscreen', 'muted', 'poster', 'width', 'height', 'controls'].freeze,
+          'audio' => ['name', 'src', 'muted'].freeze,
+          'font' => ['face', 'color', 'size'].freeze,
+          # MathML
+          'annotation' => ['href', 'xref', 'definitionURL', 'encoding', 'cd', 'name', 'src'].freeze,
+          'annotation-xml' => ['href', 'xref', 'definitionURL', 'encoding', 'cd', 'name', 'src'].freeze,
+          'maction' => ['href', 'xref', 'mathcolor', 'mathbackground', 'actiontype', 'selection'].freeze,
+          'maligngroup' => ['href', 'xref', 'mathcolor', 'mathbackground', 'groupalign'].freeze,
+          'malignmark' => ['href', 'xref', 'mathcolor', 'mathbackground', 'edge'].freeze,
+          'math' => ['href', 'xref', 'display', 'maxwidth', 'overflow', 'altimg', 'altimg-width',
+                     'altimg-height', 'altimg-valign', 'alttext', 'cdgroup', 'mathcolor',
+                     'mathbackground', 'scriptlevel', 'displaystyle', 'scriptsizemultiplier',
+                     'scriptminsize', 'infixlinebreakstyle', 'decimalpoint', 'mathvariant',
+                     'mathsize', 'width', 'height', 'valign', 'form', 'fence', 'separator',
+                     'lspace', 'rspace', 'stretchy', 'symmetric', 'maxsize', 'minsize', 'largeop',
+                     'movablelimits', 'accent', 'linebreak', 'lineleading', 'linebreakstyle',
+                     'linebreakmultchar', 'indentalign', 'indentshift', 'indenttarget',
+                     'indentalignfirst', 'indentshiftfirst', 'indentalignlast', 'indentshiftlast',
+                     'depth', 'lquote', 'rquote', 'linethickness', 'munalign', 'denomalign',
+                     'bevelled', 'voffset', 'open', 'close', 'separators', 'notation',
+                     'subscriptshift', 'superscriptshift', 'accentunder', 'align', 'rowalign',
+                     'columnalign', 'groupalign', 'alignmentscope', 'columnwidth', 'rowspacing',
+                     'columnspacing', 'rowlines', 'columnlines', 'frame', 'framespacing',
+                     'equalrows', 'equalcolumns', 'side', 'minlabelspacing', 'rowspan',
+                     'columnspan', 'edge', 'stackalign', 'charalign', 'charspacing', 'longdivstyle',
+                     'position', 'shift', 'location', 'crossout', 'length', 'leftoverhang',
+                     'rightoverhang', 'mslinethickness', 'selection', 'xmlns'].freeze,
+          'menclose' => ['href', 'xref', 'mathcolor', 'mathbackground', 'notation'].freeze,
+          'merror' => ['href', 'xref', 'mathcolor', 'mathbackground'].freeze,
+          'mfenced' => ['href', 'xref', 'mathcolor', 'mathbackground', 'open', 'close', 'separators'].freeze,
+          'mfrac' => ['href', 'xref', 'mathcolor', 'mathbackground', 'linethickness', 'munalign',
+                      'denomalign', 'bevelled'].freeze,
+          'mglyph' => ['href', 'xref', 'mathcolor', 'mathbackground', 'src', 'alt', 'width', 'height', 'valign'].freeze,
+          'mi' => ['href', 'xref', 'mathcolor', 'mathbackground', 'mathvariant', 'mathsize'].freeze,
+          'mlabeledtr' => ['href', 'xref', 'mathcolor', 'mathbackground'].freeze,
+          'mlongdiv' => ['href', 'xref', 'mathcolor', 'mathbackground', 'longdivstyle', 'align',
+                         'stackalign', 'charalign', 'charspacing'].freeze,
+          'mmultiscripts' => ['href', 'xref', 'mathcolor', 'mathbackground', 'subscriptshift',
+                              'superscriptshift'].freeze,
+          'mn' => ['href', 'xref', 'mathcolor', 'mathbackground', 'mathvariant', 'mathsize'].freeze,
+          'mo' => ['href', 'xref', 'mathcolor', 'mathbackground', 'mathvariant', 'mathsize', 'form',
+                   'fence', 'separator', 'lspace', 'rspace', 'stretchy', 'symmetric', 'maxsize',
+                   'minsize', 'largeop', 'movablelimits', 'accent', 'linebreak', 'lineleading',
+                   'linebreakstyle', 'linebreakmultchar', 'indentalign', 'indentshift',
+                   'indenttarget', 'indentalignfirst', 'indentshiftfirst', 'indentalignlast',
+                   'indentshiftlast'].freeze,
+          'mover' => ['href', 'xref', 'mathcolor', 'mathbackground', 'accent', 'align'].freeze,
+          'mpadded' => ['href', 'xref', 'mathcolor', 'mathbackground', 'height', 'depth', 'width',
+                        'lspace', 'voffset'].freeze,
+          'mphantom' => ['href', 'xref', 'mathcolor', 'mathbackground'].freeze,
+          'mprescripts' => ['href', 'xref', 'mathcolor', 'mathbackground'].freeze,
+          'mroot' => ['href', 'xref', 'mathcolor', 'mathbackground'].freeze,
+          'mrow' => ['href', 'xref', 'mathcolor', 'mathbackground'].freeze,
+          'ms' => ['href', 'xref', 'mathcolor', 'mathbackground', 'mathvariant', 'mathsize', 'lquote', 'rquote'].freeze,
+          'mscarries' => ['href', 'xref', 'mathcolor', 'mathbackground', 'position', 'location',
+                          'crossout', 'scriptsizemultiplier'].freeze,
+          'mscarry' => ['href', 'xref', 'mathcolor', 'mathbackground', 'location', 'crossout'].freeze,
+          'msgroup' => ['href', 'xref', 'mathcolor', 'mathbackground', 'position', 'shift'].freeze,
+          'msline' => ['href', 'xref', 'mathcolor', 'mathbackground', 'position', 'length',
+                       'leftoverhang', 'rightoverhang', 'mslinethickness'].freeze,
+          'mspace' => ['href', 'xref', 'mathcolor', 'mathbackground', 'mathvariant', 'mathsize'].freeze,
+          'msqrt' => ['href', 'xref', 'mathcolor', 'mathbackground'].freeze,
+          'msrow' => ['href', 'xref', 'mathcolor', 'mathbackground', 'position'].freeze,
+          'mstack' => ['href', 'xref', 'mathcolor', 'mathbackground', 'align', 'stackalign',
+                       'charalign', 'charspacing'].freeze,
+          'mstyle' => ['href', 'xref', 'mathcolor', 'mathbackground', 'scriptlevel', 'displaystyle',
+                       'scriptsizemultiplier', 'scriptminsize', 'infixlinebreakstyle',
+                       'decimalpoint', 'mathvariant', 'mathsize', 'width', 'height', 'valign',
+                       'form', 'fence', 'separator', 'lspace', 'rspace', 'stretchy', 'symmetric',
+                       'maxsize', 'minsize', 'largeop', 'movablelimits', 'accent', 'linebreak',
+                       'lineleading', 'linebreakstyle', 'linebreakmultchar', 'indentalign',
+                       'indentshift', 'indenttarget', 'indentalignfirst', 'indentshiftfirst',
+                       'indentalignlast', 'indentshiftlast', 'depth', 'lquote', 'rquote',
+                       'linethickness', 'munalign', 'denomalign', 'bevelled', 'voffset', 'open',
+                       'close', 'separators', 'notation', 'subscriptshift', 'superscriptshift',
+                       'accentunder', 'align', 'rowalign', 'columnalign', 'groupalign',
+                       'alignmentscope', 'columnwidth', 'rowspacing', 'columnspacing', 'rowlines',
+                       'columnlines', 'frame', 'framespacing', 'equalrows', 'equalcolumns', 'side',
+                       'minlabelspacing', 'rowspan', 'columnspan', 'edge', 'stackalign',
+                       'charalign', 'charspacing', 'longdivstyle', 'position', 'shift', 'location',
+                       'crossout', 'length', 'leftoverhang', 'rightoverhang', 'mslinethickness',
+                       'selection'].freeze,
+          'msub' => ['href', 'xref', 'mathcolor', 'mathbackground', 'subscriptshift'].freeze,
+          'msubsup' => ['href', 'xref', 'mathcolor', 'mathbackground', 'subscriptshift', 'superscriptshift'].freeze,
+          'msup' => ['href', 'xref', 'mathcolor', 'mathbackground', 'superscriptshift'].freeze,
+          'mtable' => ['href', 'xref', 'mathcolor', 'mathbackground', 'align', 'rowalign',
+                       'columnalign', 'groupalign', 'alignmentscope', 'columnwidth', 'width',
+                       'rowspacing', 'columnspacing', 'rowlines', 'columnlines', 'frame',
+                       'framespacing', 'equalrows', 'equalcolumns', 'displaystyle', 'side',
+                       'minlabelspacing'].freeze,
+          'mtd' => ['href', 'xref', 'mathcolor', 'mathbackground', 'rowspan', 'columnspan',
+                    'rowalign', 'columnalign', 'groupalign'].freeze,
+          'mtext' => ['href', 'xref', 'mathcolor', 'mathbackground', 'mathvariant', 'mathsize',
+                      'width', 'height', 'depth', 'linebreak'].freeze,
+          'mtr' => ['href', 'xref', 'mathcolor', 'mathbackground', 'rowalign', 'columnalign', 'groupalign'].freeze,
+          'munder' => ['href', 'xref', 'mathcolor', 'mathbackground', 'accentunder', 'align'].freeze,
+          'munderover' => ['href', 'xref', 'mathcolor', 'mathbackground', 'accent', 'accentunder', 'align'].freeze,
+          'none' => ['href', 'xref', 'mathcolor', 'mathbackground'].freeze,
+          'semantics' => ['href', 'xref', 'definitionURL', 'encoding'].freeze,
+      }.freeze,
 
       :protocols => {
           'a' => {'href' => ['ftp', 'http', 'https', 'mailto',
-                             :relative]},
-          'blockquote' => {'cite' => ['http', 'https', :relative]},
-          'img' => {'src' => ['http', 'https', :relative]},
-          'q' => {'cite' => ['http', 'https', :relative]},
-          'object' => {'data' => ['http', 'https', :relative]},
-          'embed' => {'src' => ['http', 'https', :relative]},
-          'iframe' => {'src' => ['http', 'https', :relative]},
-          'style' => {'any' => ['http', 'https', :relative]}
-      },
-      :style_methods => ['url'],
+                             :relative].freeze}.freeze,
+          'blockquote' => {'cite' => ['http', 'https', :relative].freeze}.freeze,
+          'img' => {'src' => ['http', 'https', :relative].freeze}.freeze,
+          'q' => {'cite' => ['http', 'https', :relative].freeze}.freeze,
+          'object' => {'data' => ['http', 'https', :relative].freeze}.freeze,
+          'embed' => {'src' => ['http', 'https', :relative].freeze}.freeze,
+          'iframe' => {'src' => ['http', 'https', :relative].freeze}.freeze,
+          'style' => {'any' => ['http', 'https', :relative].freeze}.freeze
+      }.freeze,
+      :style_methods => ['url'].freeze,
       :style_properties => [
           'background', 'border', 'clear', 'color',
           'cursor', 'direction', 'display', 'float',
@@ -177,7 +281,7 @@ def self.clean_style_value(config, value)
           'top', 'vertical-align',
           'visibility', 'white-space', 'width',
           'z-index', 'zoom'
-      ],
+      ].freeze,
       :style_expressions => [
           /\Abackground-(?:attachment|color|image|position|repeat)\z/,
           /\Abackground-position-(?:x|y)\z/,
@@ -187,12 +291,12 @@ def self.clean_style_value(config, value)
           /\Alist-style-(?:image|position|type)\z/,
           /\Amargin-(?:bottom|left|right|top|offset)\z/,
           /\Apadding-(?:bottom|left|right|top)\z/
-      ],
+      ].freeze,
       :transformers => lambda { |env|
         CanvasSanitize.sanitize_style(env) if env[:node]['style']
         Sanitize.clean_node!(env[:node], {:remove_contents => true}) if env[:node_name] == 'style'
       }
-  }
+  }.freeze
 
   module ClassMethods