qti 2.13.1 → 2.15.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 012e43c78ded5cf4f1ec586f8bbd321cadb532facc73e3b06bf9ecd884ab724f
-  data.tar.gz: d95a01adb90683fa13c2bd769581edc53771c8a8157c692954090d38936fc318
+  metadata.gz: fcafa61127adf8dafdd3084cd6c22d56630473c0d01e42a7e6cddf6ee7b4ba96
+  data.tar.gz: 68fdf75e1b11fae2ca2ac55aca9daf936c2754ee1a0a244ccc94a51953c3957f
 SHA512:
-  metadata.gz: bfd79edf504cedad28c37fb5c34ce67b54e2421ba8db324e25d905d23881c66d44f64f700d6803c8853f70b68864f249eb9725d47b3f3b232c66d3a9b2217f39
-  data.tar.gz: 197b13f906c3604df179ab2276d69fcd8e0183f8988046bcd73df35653c312c02f0e37127874d6d371d7320e7e9d0b2bea5a6bbc324d419d1c3067907fa8e1d9
+  metadata.gz: 06543ad3a11e643f4c9731a641da3495afa53d94defa9ac8b40a34015d152ca24e5943fb1b33d9fe0db0714915f9a2e86dd2511821197f1b29395b071adf1ce0
+  data.tar.gz: 7b3ad6b2fa593ca9f2be62f524777fef0d41d9ddc8833af38ec445a89a3ffe5c855dd80312000978a0bd55bada68b8d711220a54b46d1b231223b0e41727b0b3

data/lib/qti/sanitizer.rb

@@ -40,7 +40,7 @@ module Qti
             'object' => MEDIA_ATTR,
             'embed' => %w[name src type allowfullscreen pluginspage wmode
                           allowscriptaccess width height],
-            'iframe' => %w[src width height name align frameborder scrolling sandbox
+            'iframe' => %w[src style width height name align frameborder scrolling sandbox
                            allowfullscreen webkitallowfullscreen mozallowfullscreen
                            allow] + ALL_DATA_ATTR, # TODO: remove explicit allow with domain whitelist account setting
             'a' => relaxed_config('a', ['target'] + ALL_DATA_ATTR),
@@ -92,7 +92,7 @@ module Qti
       lambda do |env|
         return unless FILTER_TAGS.include?(env[:node_name])
         return if env[:is_whitelisted] || !env[:node].element?
-        Sanitize.node!(env[:node], CONFIG)
+        Sanitize.node!(env[:node], Sanitize::Config.merge(Sanitize::Config::RELAXED, CONFIG))
         { node_whitelist: [env[:node]] }
       end
     end

data/lib/qti/v1/models/assessment_item.rb

@@ -18,7 +18,7 @@ module Qti
             node = @doc.dup
             presentation = node.at_xpath('.//xmlns:presentation')
             mattext = presentation.at_xpath('.//xmlns:mattext')
-            prompt = return_inner_content!(mattext)
+            prompt = sanitize_attributes(return_inner_content!(mattext))
             sanitize_content!(prompt)
           end
         end
@@ -83,11 +83,15 @@ module Qti
         end
 
         def feedback
-          @feedback ||= interaction_model.canvas_item_feedback
+          @feedback ||= interaction_model.canvas_item_feedback&.transform_values { |v| sanitize_content!(v) }
         end
 
         def answer_feedback
-          @answer_feedback ||= interaction_model.answer_feedback
+          @answer_feedback ||= interaction_model.answer_feedback&.map do |answer|
+            duped = answer.dup
+            duped[:feedback] = sanitize_content!(duped[:feedback])
+            duped
+          end
         end
       end
     end

data/lib/qti/v1/models/base.rb

@@ -2,6 +2,8 @@ module Qti
   module V1
     module Models
       class Base < Qti::Models::Base
+        CANVAS_BLANK_REGEX ||= /(\[[A-Za-z0-9_\-.]+\])/.freeze
+
         def qti_version
           1
         end
@@ -12,6 +14,20 @@ module Qti
           node.inner_html
         end
 
+        def sanitize_attributes(html)
+          node = Nokogiri::HTML.fragment(html)
+          sanitize_attributes_by_node(node)
+          node.to_html
+        end
+
+        def sanitize_attributes_by_node(node)
+          node.attribute_nodes.each do |a|
+            matches = a.value.match(CANVAS_BLANK_REGEX) || []
+            a.value = a.value.gsub!('[', '&#91;').gsub!(']', '&#93;') if matches.length.positive?
+          end
+          node.children.each { |c| sanitize_attributes_by_node(c) }
+        end
+
         private
 
         def text_node?(node)

data/lib/qti/v1/models/interactions/base_fill_blank_interaction.rb

@@ -3,10 +3,9 @@ module Qti
     module Models
       module Interactions
         class BaseFillBlankInteraction < BaseInteraction
-          CANVAS_REGEX ||= /(\[[A-Za-z0-9_\-.]+\])/.freeze
-
           def canvas_stem_items(item_prompt)
-            item_prompt.split(CANVAS_REGEX).map.with_index do |stem_item, index|
+            item_prompt = sanitize_attributes(item_prompt)
+            item_prompt.split(CANVAS_BLANK_REGEX).map.with_index do |stem_item, index|
               if canvas_fib_response_ids.include?(stem_item)
                 # Strip the brackets before searching
                 value = stem_item[1..-2]

data/lib/qti/version.rb

@@ -1,3 +1,3 @@
 module Qti
-  VERSION = '2.13.1'.freeze
+  VERSION = '2.15.0'.freeze
 end

data/spec/fixtures/items_1.2/true_false.xml

@@ -3,6 +3,18 @@
   <assessment title="1.2 Import Quiz" ident="A1001">
     <section title="Main" ident="S1002">
       <item title="Grading - specific - 3 pt score" ident="QUE_1003">
+        <itemmetadata>
+          <qtimetadata>
+            <qtimetadatafield>
+              <fieldlabel>question_type</fieldlabel>
+              <fieldentry>true_false_question</fieldentry>
+            </qtimetadatafield>
+            <qtimetadatafield>
+              <fieldlabel>assessment_question_identifierref</fieldlabel>
+              <fieldentry>iff205c7405d3b36bdca9b75b51198932</fieldentry>
+            </qtimetadatafield>
+          </qtimetadata>
+        </itemmetadata>
         <presentation>
           <material>
             <mattext texttype="text/html"><![CDATA[If I get a 3, I must have done something wrong. <img data-equation-content="sample equation" script="alert('bad')" align="bottom" alt="image.png" src="org0/images/image.png" border="0"/> <img script="alert('bad')" align="bottom" alt="image.png" src="org0/images/image.png" border="0"/>]]></mattext>
@@ -37,8 +49,37 @@
               <varequal respident="QUE_1004_RL">QUE_1006_A2</varequal>
             </conditionvar>
             <setvar varname="que_score" action="Set">10.00</setvar>
+            <displayfeedback feedbacktype="Response" linkrefid="fb_QUE_1006_A2"/>
           </respcondition>
         </resprocessing>
+        <itemfeedback ident="general_fb">
+          <flow_mat>
+            <material>
+              <mattext texttype="text/html">&lt;p&gt;Neutral&lt;/p&gt;&lt;img script="alert('bad')" alt="image.png" src="org0/images/image.png"/&gt;</mattext>
+            </material>
+          </flow_mat>
+        </itemfeedback>
+        <itemfeedback ident="correct_fb">
+          <flow_mat>
+            <material>
+              <mattext texttype="text/html">&lt;p&gt;Correct&lt;/p&gt;&lt;img script="alert('bad')" alt="image.png" src="org0/images/image.png"/&gt;</mattext>
+            </material>
+          </flow_mat>
+        </itemfeedback>
+        <itemfeedback ident="general_incorrect_fb">
+          <flow_mat>
+            <material>
+              <mattext texttype="text/html">&lt;p&gt;Incorrect&lt;/p&gt;&lt;img script="alert('bad')" alt="image.png" src="org0/images/image.png"/&gt;</mattext>
+            </material>
+          </flow_mat>
+        </itemfeedback>
+        <itemfeedback ident="fb_QUE_1006_A2">
+          <flow_mat>
+            <material>
+              <mattext texttype="text/html">&lt;p&gt;Answer was Correct&lt;/p&gt;&lt;img script="alert('bad')" alt="image.png" src="org0/images/image.png"/&gt;</mattext>
+            </material>
+          </flow_mat>
+        </itemfeedback>
       </item>
     </section>
   </assessment>

data/spec/lib/qti/sanitizer_spec.rb

@@ -54,5 +54,14 @@ describe Qti::Sanitizer do
 
       expect(sanitizer.clean(html)).to include 'target="_blank"'
     end
+
+    it 'allows style attributes on iframe' do
+      html = '<iframe style="width: 523px; height: 294px; display: inline-block;"></iframe>'
+
+      expect(sanitizer.clean(html)).to include 'style'
+      expect(sanitizer.clean(html)).to include 'width: 523px;'
+      expect(sanitizer.clean(html)).to include 'height: 294px;'
+      expect(sanitizer.clean(html)).to include 'display: inline-block;'
+    end
   end
 end

data/spec/lib/qti/v1/models/assessment_item_spec.rb

@@ -10,6 +10,37 @@ describe Qti::V1::Models::AssessmentItem do
     end
   end
 
+  context 'feedback', focus: true do
+    let(:file_path) { File.join('spec', 'fixtures', 'items_1.2', 'true_false.xml') }
+    let(:test_object) { Qti::V1::Models::Assessment.from_path!(file_path) }
+    let(:assessment_item_refs) { test_object.assessment_items }
+    let(:loaded_class) { described_class.new(assessment_item_refs) }
+
+    it 'sanitizes general neutral feedback' do
+      expect(loaded_class.feedback[:neutral]).to include '<p>Neutral'
+      expect(loaded_class.feedback[:neutral]).to include '<img'
+      expect(loaded_class.feedback[:neutral]).not_to include 'script="alert(\'bad\')"'
+    end
+
+    it 'sanitizes general correct feedback' do
+      expect(loaded_class.feedback[:correct]).to include '<p>Correct'
+      expect(loaded_class.feedback[:correct]).to include '<img'
+      expect(loaded_class.feedback[:correct]).not_to include 'script="alert(\'bad\')"'
+    end
+
+    it 'sanitizes general incorrect feedback' do
+      expect(loaded_class.feedback[:incorrect]).to include '<p>Incorrect'
+      expect(loaded_class.feedback[:incorrect]).to include '<img'
+      expect(loaded_class.feedback[:incorrect]).not_to include 'script="alert(\'bad\')"'
+    end
+
+    it 'sanitizes answer feedback' do
+      expect(loaded_class.answer_feedback.first[:feedback]).to include '<p>Answer was Correc'
+      expect(loaded_class.answer_feedback.first[:feedback]).to include '<img'
+      expect(loaded_class.answer_feedback.first[:feedback]).not_to include 'script="alert(\'bad\')"'
+    end
+  end
+
   context 'quiz.xml' do
     let(:file_path) { File.join('spec', 'fixtures', 'items_1.2', 'true_false.xml') }
     let(:test_object) { Qti::V1::Models::Assessment.from_path!(file_path) }

data/spec/lib/qti/v1/models/base_spec.rb

@@ -0,0 +1,22 @@
+describe Qti::V1::Models::Base do
+  context 'specified as single content node matching helpers' do
+    let(:loaded_class) do
+      fixtures_path = File.join('spec', 'fixtures')
+      path = File.join(fixtures_path, 'test_qti_1.2', 'quiz.xml')
+      described_class.from_path!(path)
+    end
+
+    describe '.sanitize_attributes' do
+      it 'respects valid content' do
+        source = 'fill in the [blank]'
+        expect(loaded_class.sanitize_attributes(source)).to eq source
+      end
+
+      it 'translates invalid content' do
+        source = '<span title="[x]">fill in the [blank]</span>'
+        expected = '<span title="&amp;#91;x&amp;#93;">fill in the [blank]</span>'
+        expect(loaded_class.sanitize_attributes(source)).to eq expected
+      end
+    end
+  end
+end

data/spec/lib/qti/v1/models/interactions/choice_interaction_spec.rb

@@ -39,7 +39,7 @@ describe Qti::V1::Models::Interactions::ChoiceInteraction do
     let(:file_path) { File.join(fixtures_path, 'true_false.xml') }
     let(:shuffle_value) { true }
     let(:answer_choices_count) { 2 }
-    let(:meta_type) { nil }
+    let(:meta_type) { 'true_false_question' }
 
     include_examples 'shuffled?'
     include_examples 'answers'

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: qti
 version: !ruby/object:Gem::Version
-  version: 2.13.1
+  version: 2.15.0
 platform: ruby
 authors:
 - Adrian Diaz
@@ -12,7 +12,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2023-04-24 00:00:00.000000000 Z
+date: 2023-05-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: actionview
@@ -665,6 +665,7 @@ files:
 - spec/lib/qti/sanitizer_spec.rb
 - spec/lib/qti/v1/models/assessment_item_spec.rb
 - spec/lib/qti/v1/models/assessment_spec.rb
+- spec/lib/qti/v1/models/base_spec.rb
 - spec/lib/qti/v1/models/choices/fill_blank_choice_spec.rb
 - spec/lib/qti/v1/models/choices/logical_identifier_choice_spec.rb
 - spec/lib/qti/v1/models/interactions/base_fill_blank_interaction_spec.rb
@@ -1022,6 +1023,7 @@ test_files:
 - spec/lib/qti/sanitizer_spec.rb
 - spec/lib/qti/v1/models/assessment_item_spec.rb
 - spec/lib/qti/v1/models/assessment_spec.rb
+- spec/lib/qti/v1/models/base_spec.rb
 - spec/lib/qti/v1/models/choices/fill_blank_choice_spec.rb
 - spec/lib/qti/v1/models/choices/logical_identifier_choice_spec.rb
 - spec/lib/qti/v1/models/interactions/base_fill_blank_interaction_spec.rb