@instructure/platform-assignment-review 0.4.16 → 0.4.17

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/dist/index.js +63 -34
  2. package/package.json +2 -2
package/dist/index.js CHANGED
@@ -4,7 +4,7 @@ import { Flex as b } from "@instructure/ui-flex";
4
4
  import { Heading as St } from "@instructure/ui-heading";
5
5
  import { Spinner as Ye } from "@instructure/ui-spinner";
6
6
  import { Text as _ } from "@instructure/ui-text";
7
- import { View as K } from "@instructure/ui-view";
7
+ import { View as Z } from "@instructure/ui-view";
8
8
  import { useQuery as Ve, useQueryClient as un, useMutation as dn } from "@tanstack/react-query";
9
9
  import ae from "graphql-tag";
10
10
  import { z as o } from "zod";
@@ -289,14 +289,14 @@ function _n() {
289
289
  }));
290
290
  let Ot = !0, Qe = !0, Nt = !1, vt = !0, re = !1, Ce = !0, me = !1, Je = !1, et = !1, pe = !1, Ue = !1, ze = !1, Lt = !0, xt = !1;
291
291
  const kt = "user-content-";
292
- let tt = !0, De = !1, ge = {}, Z = null;
292
+ let tt = !0, De = !1, ge = {}, Q = null;
293
293
  const nt = T({}, ["annotation-xml", "audio", "colgroup", "desc", "foreignobject", "head", "iframe", "math", "mi", "mn", "mo", "ms", "mtext", "noembed", "noframes", "noscript", "plaintext", "script", "style", "svg", "template", "thead", "title", "video", "xmp"]);
294
294
  let Mt = null;
295
295
  const Pt = T({}, ["audio", "video", "img", "source", "image", "track"]);
296
296
  let it = null;
297
- const Ft = T({}, ["alt", "class", "for", "id", "label", "name", "pattern", "placeholder", "role", "summary", "title", "value", "style", "xmlns"]), je = "http://www.w3.org/1998/Math/MathML", He = "http://www.w3.org/2000/svg", Q = "http://www.w3.org/1999/xhtml";
298
- let he = Q, ot = !1, rt = null;
299
- const Nn = T({}, [je, He, Q], dt);
297
+ const Ft = T({}, ["alt", "class", "for", "id", "label", "name", "pattern", "placeholder", "role", "summary", "title", "value", "style", "xmlns"]), je = "http://www.w3.org/1998/Math/MathML", He = "http://www.w3.org/2000/svg", J = "http://www.w3.org/1999/xhtml";
298
+ let he = J, ot = !1, rt = null;
299
+ const Nn = T({}, [je, He, J], dt);
300
300
  let st = T({}, ["mi", "mo", "mn", "ms", "mtext"]), at = T({}, ["annotation-xml"]);
301
301
  const vn = T({}, ["title", "style", "font", "a", "script"]);
302
302
  let Re = null;
@@ -309,9 +309,9 @@ function _n() {
309
309
  if (be && be === e)
310
310
  return;
311
311
  (!e || typeof e != "object") && (e = {}), e = W(e), Re = // eslint-disable-next-line unicorn/prefer-includes
312
- Ln.indexOf(e.PARSER_MEDIA_TYPE) === -1 ? xn : e.PARSER_MEDIA_TYPE, k = Re === "application/xhtml+xml" ? dt : Ne, P = D(e, "ALLOWED_TAGS") && H(e.ALLOWED_TAGS) ? T({}, e.ALLOWED_TAGS, k) : Dt, U = D(e, "ALLOWED_ATTR") && H(e.ALLOWED_ATTR) ? T({}, e.ALLOWED_ATTR, k) : Rt, rt = D(e, "ALLOWED_NAMESPACES") && H(e.ALLOWED_NAMESPACES) ? T({}, e.ALLOWED_NAMESPACES, dt) : Nn, it = D(e, "ADD_URI_SAFE_ATTR") && H(e.ADD_URI_SAFE_ATTR) ? T(W(Ft), e.ADD_URI_SAFE_ATTR, k) : Ft, Mt = D(e, "ADD_DATA_URI_TAGS") && H(e.ADD_DATA_URI_TAGS) ? T(W(Pt), e.ADD_DATA_URI_TAGS, k) : Pt, Z = D(e, "FORBID_CONTENTS") && H(e.FORBID_CONTENTS) ? T({}, e.FORBID_CONTENTS, k) : nt, we = D(e, "FORBID_TAGS") && H(e.FORBID_TAGS) ? T({}, e.FORBID_TAGS, k) : W({}), Fe = D(e, "FORBID_ATTR") && H(e.FORBID_ATTR) ? T({}, e.FORBID_ATTR, k) : W({}), ge = D(e, "USE_PROFILES") ? e.USE_PROFILES && typeof e.USE_PROFILES == "object" ? W(e.USE_PROFILES) : e.USE_PROFILES : !1, Ot = e.ALLOW_ARIA_ATTR !== !1, Qe = e.ALLOW_DATA_ATTR !== !1, Nt = e.ALLOW_UNKNOWN_PROTOCOLS || !1, vt = e.ALLOW_SELF_CLOSE_IN_ATTR !== !1, re = e.SAFE_FOR_TEMPLATES || !1, Ce = e.SAFE_FOR_XML !== !1, me = e.WHOLE_DOCUMENT || !1, pe = e.RETURN_DOM || !1, Ue = e.RETURN_DOM_FRAGMENT || !1, ze = e.RETURN_TRUSTED_TYPE || !1, et = e.FORCE_BODY || !1, Lt = e.SANITIZE_DOM !== !1, xt = e.SANITIZE_NAMED_PROPS || !1, tt = e.KEEP_CONTENT !== !1, De = e.IN_PLACE || !1, Ct = hi(e.ALLOWED_URI_REGEXP) ? e.ALLOWED_URI_REGEXP : cn, he = typeof e.NAMESPACE == "string" ? e.NAMESPACE : Q, st = D(e, "MATHML_TEXT_INTEGRATION_POINTS") && e.MATHML_TEXT_INTEGRATION_POINTS && typeof e.MATHML_TEXT_INTEGRATION_POINTS == "object" ? W(e.MATHML_TEXT_INTEGRATION_POINTS) : T({}, ["mi", "mo", "mn", "ms", "mtext"]), at = D(e, "HTML_INTEGRATION_POINTS") && e.HTML_INTEGRATION_POINTS && typeof e.HTML_INTEGRATION_POINTS == "object" ? W(e.HTML_INTEGRATION_POINTS) : T({}, ["annotation-xml"]);
312
+ Ln.indexOf(e.PARSER_MEDIA_TYPE) === -1 ? xn : e.PARSER_MEDIA_TYPE, k = Re === "application/xhtml+xml" ? dt : Ne, P = D(e, "ALLOWED_TAGS") && H(e.ALLOWED_TAGS) ? T({}, e.ALLOWED_TAGS, k) : Dt, U = D(e, "ALLOWED_ATTR") && H(e.ALLOWED_ATTR) ? T({}, e.ALLOWED_ATTR, k) : Rt, rt = D(e, "ALLOWED_NAMESPACES") && H(e.ALLOWED_NAMESPACES) ? T({}, e.ALLOWED_NAMESPACES, dt) : Nn, it = D(e, "ADD_URI_SAFE_ATTR") && H(e.ADD_URI_SAFE_ATTR) ? T(W(Ft), e.ADD_URI_SAFE_ATTR, k) : Ft, Mt = D(e, "ADD_DATA_URI_TAGS") && H(e.ADD_DATA_URI_TAGS) ? T(W(Pt), e.ADD_DATA_URI_TAGS, k) : Pt, Q = D(e, "FORBID_CONTENTS") && H(e.FORBID_CONTENTS) ? T({}, e.FORBID_CONTENTS, k) : nt, we = D(e, "FORBID_TAGS") && H(e.FORBID_TAGS) ? T({}, e.FORBID_TAGS, k) : W({}), Fe = D(e, "FORBID_ATTR") && H(e.FORBID_ATTR) ? T({}, e.FORBID_ATTR, k) : W({}), ge = D(e, "USE_PROFILES") ? e.USE_PROFILES && typeof e.USE_PROFILES == "object" ? W(e.USE_PROFILES) : e.USE_PROFILES : !1, Ot = e.ALLOW_ARIA_ATTR !== !1, Qe = e.ALLOW_DATA_ATTR !== !1, Nt = e.ALLOW_UNKNOWN_PROTOCOLS || !1, vt = e.ALLOW_SELF_CLOSE_IN_ATTR !== !1, re = e.SAFE_FOR_TEMPLATES || !1, Ce = e.SAFE_FOR_XML !== !1, me = e.WHOLE_DOCUMENT || !1, pe = e.RETURN_DOM || !1, Ue = e.RETURN_DOM_FRAGMENT || !1, ze = e.RETURN_TRUSTED_TYPE || !1, et = e.FORCE_BODY || !1, Lt = e.SANITIZE_DOM !== !1, xt = e.SANITIZE_NAMED_PROPS || !1, tt = e.KEEP_CONTENT !== !1, De = e.IN_PLACE || !1, Ct = hi(e.ALLOWED_URI_REGEXP) ? e.ALLOWED_URI_REGEXP : cn, he = typeof e.NAMESPACE == "string" ? e.NAMESPACE : J, st = D(e, "MATHML_TEXT_INTEGRATION_POINTS") && e.MATHML_TEXT_INTEGRATION_POINTS && typeof e.MATHML_TEXT_INTEGRATION_POINTS == "object" ? W(e.MATHML_TEXT_INTEGRATION_POINTS) : T({}, ["mi", "mo", "mn", "ms", "mtext"]), at = D(e, "HTML_INTEGRATION_POINTS") && e.HTML_INTEGRATION_POINTS && typeof e.HTML_INTEGRATION_POINTS == "object" ? W(e.HTML_INTEGRATION_POINTS) : T({}, ["annotation-xml"]);
313
313
  const a = D(e, "CUSTOM_ELEMENT_HANDLING") && e.CUSTOM_ELEMENT_HANDLING && typeof e.CUSTOM_ELEMENT_HANDLING == "object" ? W(e.CUSTOM_ELEMENT_HANDLING) : _e(null);
314
- if (R = _e(null), D(a, "tagNameCheck") && Ut(a.tagNameCheck) && (R.tagNameCheck = a.tagNameCheck), D(a, "attributeNameCheck") && Ut(a.attributeNameCheck) && (R.attributeNameCheck = a.attributeNameCheck), D(a, "allowCustomizedBuiltInElements") && typeof a.allowCustomizedBuiltInElements == "boolean" && (R.allowCustomizedBuiltInElements = a.allowCustomizedBuiltInElements), re && (Qe = !1), Ue && (pe = !0), ge && (P = T({}, sn), U = _e(null), ge.html === !0 && (T(P, rn), T(U, an)), ge.svg === !0 && (T(P, ft), T(U, ht), T(U, We)), ge.svgFilters === !0 && (T(P, pt), T(U, ht), T(U, We)), ge.mathMl === !0 && (T(P, gt), T(U, ln), T(U, We))), oe.tagCheck = null, oe.attributeCheck = null, D(e, "ADD_TAGS") && (typeof e.ADD_TAGS == "function" ? oe.tagCheck = e.ADD_TAGS : H(e.ADD_TAGS) && (P === Dt && (P = W(P)), T(P, e.ADD_TAGS, k))), D(e, "ADD_ATTR") && (typeof e.ADD_ATTR == "function" ? oe.attributeCheck = e.ADD_ATTR : H(e.ADD_ATTR) && (U === Rt && (U = W(U)), T(U, e.ADD_ATTR, k))), D(e, "ADD_URI_SAFE_ATTR") && H(e.ADD_URI_SAFE_ATTR) && T(it, e.ADD_URI_SAFE_ATTR, k), D(e, "FORBID_CONTENTS") && H(e.FORBID_CONTENTS) && (Z === nt && (Z = W(Z)), T(Z, e.FORBID_CONTENTS, k)), D(e, "ADD_FORBID_CONTENTS") && H(e.ADD_FORBID_CONTENTS) && (Z === nt && (Z = W(Z)), T(Z, e.ADD_FORBID_CONTENTS, k)), tt && (P["#text"] = !0), me && T(P, ["html", "head", "body"]), P.table && (T(P, ["tbody"]), delete we.tbody), e.TRUSTED_TYPES_POLICY) {
314
+ if (R = _e(null), D(a, "tagNameCheck") && Ut(a.tagNameCheck) && (R.tagNameCheck = a.tagNameCheck), D(a, "attributeNameCheck") && Ut(a.attributeNameCheck) && (R.attributeNameCheck = a.attributeNameCheck), D(a, "allowCustomizedBuiltInElements") && typeof a.allowCustomizedBuiltInElements == "boolean" && (R.allowCustomizedBuiltInElements = a.allowCustomizedBuiltInElements), re && (Qe = !1), Ue && (pe = !0), ge && (P = T({}, sn), U = _e(null), ge.html === !0 && (T(P, rn), T(U, an)), ge.svg === !0 && (T(P, ft), T(U, ht), T(U, We)), ge.svgFilters === !0 && (T(P, pt), T(U, ht), T(U, We)), ge.mathMl === !0 && (T(P, gt), T(U, ln), T(U, We))), oe.tagCheck = null, oe.attributeCheck = null, D(e, "ADD_TAGS") && (typeof e.ADD_TAGS == "function" ? oe.tagCheck = e.ADD_TAGS : H(e.ADD_TAGS) && (P === Dt && (P = W(P)), T(P, e.ADD_TAGS, k))), D(e, "ADD_ATTR") && (typeof e.ADD_ATTR == "function" ? oe.attributeCheck = e.ADD_ATTR : H(e.ADD_ATTR) && (U === Rt && (U = W(U)), T(U, e.ADD_ATTR, k))), D(e, "ADD_URI_SAFE_ATTR") && H(e.ADD_URI_SAFE_ATTR) && T(it, e.ADD_URI_SAFE_ATTR, k), D(e, "FORBID_CONTENTS") && H(e.FORBID_CONTENTS) && (Q === nt && (Q = W(Q)), T(Q, e.FORBID_CONTENTS, k)), D(e, "ADD_FORBID_CONTENTS") && H(e.ADD_FORBID_CONTENTS) && (Q === nt && (Q = W(Q)), T(Q, e.ADD_FORBID_CONTENTS, k)), tt && (P["#text"] = !0), me && T(P, ["html", "head", "body"]), P.table && (T(P, ["tbody"]), delete we.tbody), e.TRUSTED_TYPES_POLICY) {
315
315
  if (typeof e.TRUSTED_TYPES_POLICY.createHTML != "function")
316
316
  throw Ge('TRUSTED_TYPES_POLICY configuration option must provide a "createHTML" hook.');
317
317
  if (typeof e.TRUSTED_TYPES_POLICY.createScriptURL != "function")
@@ -327,7 +327,7 @@ function _n() {
327
327
  tagName: "template"
328
328
  });
329
329
  const u = Ne(e.tagName), A = Ne(a.tagName);
330
- return rt[e.namespaceURI] ? e.namespaceURI === He ? a.namespaceURI === Q ? u === "svg" : a.namespaceURI === je ? u === "svg" && (A === "annotation-xml" || st[A]) : !!zt[u] : e.namespaceURI === je ? a.namespaceURI === Q ? u === "math" : a.namespaceURI === He ? u === "math" && at[A] : !!jt[u] : e.namespaceURI === Q ? a.namespaceURI === He && !at[A] || a.namespaceURI === je && !st[A] ? !1 : !jt[u] && (vn[u] || !zt[u]) : !!(Re === "application/xhtml+xml" && rt[e.namespaceURI]) : !1;
330
+ return rt[e.namespaceURI] ? e.namespaceURI === He ? a.namespaceURI === J ? u === "svg" : a.namespaceURI === je ? u === "svg" && (A === "annotation-xml" || st[A]) : !!zt[u] : e.namespaceURI === je ? a.namespaceURI === J ? u === "math" : a.namespaceURI === He ? u === "math" && at[A] : !!jt[u] : e.namespaceURI === J ? a.namespaceURI === He && !at[A] || a.namespaceURI === je && !st[A] ? !1 : !jt[u] && (vn[u] || !zt[u]) : !!(Re === "application/xhtml+xml" && rt[e.namespaceURI]) : !1;
331
331
  }, X = function(e) {
332
332
  ye(n.removed, {
333
333
  element: e
@@ -368,9 +368,9 @@ function _n() {
368
368
  const L = en(e, /^[\r\n\t ]+/);
369
369
  u = L && L[0];
370
370
  }
371
- Re === "application/xhtml+xml" && he === Q && (e = '<html xmlns="http://www.w3.org/1999/xhtml"><head></head><body>' + e + "</body></html>");
371
+ Re === "application/xhtml+xml" && he === J && (e = '<html xmlns="http://www.w3.org/1999/xhtml"><head></head><body>' + e + "</body></html>");
372
372
  const A = E ? E.createHTML(e) : e;
373
- if (he === Q)
373
+ if (he === J)
374
374
  try {
375
375
  a = new w().parseFromString(A, Re);
376
376
  } catch {
@@ -383,7 +383,7 @@ function _n() {
383
383
  }
384
384
  }
385
385
  const v = a.body || a.documentElement;
386
- return e && u && v.insertBefore(i.createTextNode(u), v.childNodes[0] || null), he === Q ? Ke.call(a, me ? "html" : "body")[0] : me ? a.documentElement : v;
386
+ return e && u && v.insertBefore(i.createTextNode(u), v.childNodes[0] || null), he === J ? Ke.call(a, me ? "html" : "body")[0] : me ? a.documentElement : v;
387
387
  }, $t = function(e) {
388
388
  return xe.call(
389
389
  e.ownerDocument || e,
@@ -432,12 +432,12 @@ function _n() {
432
432
  if (te(j.uponSanitizeElement, e, {
433
433
  tagName: u,
434
434
  allowedTags: P
435
- }), Ce && e.hasChildNodes() && !$e(e.firstElementChild) && z(/<[/\w!]/g, e.innerHTML) && z(/<[/\w!]/g, e.textContent) || Ce && e.namespaceURI === Q && u === "style" && $e(e.firstElementChild) || e.nodeType === Se.progressingInstruction || Ce && e.nodeType === Se.comment && z(/<[/\w]/g, e.data))
435
+ }), Ce && e.hasChildNodes() && !$e(e.firstElementChild) && z(/<[/\w!]/g, e.innerHTML) && z(/<[/\w!]/g, e.textContent) || Ce && e.namespaceURI === J && u === "style" && $e(e.firstElementChild) || e.nodeType === Se.progressingInstruction || Ce && e.nodeType === Se.comment && z(/<[/\w]/g, e.data))
436
436
  return X(e), !0;
437
437
  if (we[u] || !(oe.tagCheck instanceof Function && oe.tagCheck(u)) && !P[u]) {
438
438
  if (!we[u] && qt(u) && (R.tagNameCheck instanceof RegExp && z(R.tagNameCheck, u) || R.tagNameCheck instanceof Function && R.tagNameCheck(u)))
439
439
  return !1;
440
- if (tt && !Z[u]) {
440
+ if (tt && !Q[u]) {
441
441
  const A = O(e) || e.parentNode, v = ie(e) || e.childNodes;
442
442
  if (v && A) {
443
443
  const L = v.length;
@@ -913,7 +913,26 @@ const Ni = /* @__PURE__ */ new Set([
913
913
  // application/x-tex, …) are not integration points and are preserved, so this
914
914
  // layer no longer strips the benign annotation-xml the backend and TinyMCE
915
915
  // already allow.
916
- ADD_TAGS: ["iframe", "semantics", "annotation", "annotation-xml"],
916
+ // object/embed/param re-enable PDF/SVG/media embedding in course content
917
+ // (e.g. <object data="file.pdf" type="application/pdf">). Their Flash/ActiveX
918
+ // attributes (classid, codebase, pluginspage, wmode, allowscriptaccess) are
919
+ // intentionally NOT added — dead tech, and ADD_ATTR is global in DOMPurify so
920
+ // re-allowing them would also reopen that surface on iframe. DOMPurify's URI
921
+ // filter blocks javascript:/data: on data/src, matching Canvas's
922
+ // http/https/relative protocol rule for these tags.
923
+ //
924
+ // SECURITY ASSUMPTION (same one iframe already relies on): object/embed load
925
+ // their resource as a *document*, not an image — a same-origin SVG/HTML file
926
+ // (e.g. <object data="/files/123/download" type="image/svg+xml">) executes any
927
+ // <script> it contains in the embedding page's origin. The javascript:/data:
928
+ // filter does not help here because the URL is a benign same-origin path; the
929
+ // payload lives in the fetched file. This is NOT new attack surface: <iframe>
930
+ // is already allowed and has the identical capability (its srcdoc is stripped —
931
+ // see test). The defense for all three is that Canvas serves user-uploaded
932
+ // files from a separate sandboxed origin. object/embed also have no usable
933
+ // sandbox attribute, so the sandbox-token hook cannot constrain them — again,
934
+ // parity with an unsandboxed iframe, which is already permitted.
935
+ ADD_TAGS: ["iframe", "semantics", "annotation", "annotation-xml", "object", "embed", "param"],
917
936
  ADD_ATTR: [
918
937
  "allowfullscreen",
919
938
  "allow",
@@ -921,6 +940,12 @@ const Ni = /* @__PURE__ */ new Set([
921
940
  "sandbox",
922
941
  "data-media-id",
923
942
  "data-media-type",
943
+ // <object>'s resource URL attribute — not in DOMPurify's defaults. src/type/
944
+ // name/value/width/height (used by object/embed/param) already are. Added
945
+ // globally (DOMPurify has no per-tag attr scoping), which is harmless: `data`
946
+ // is in URL_ATTRS so it is protocol-filtered, and it is not a DOM-clobbering
947
+ // or URI-safe attribute name.
948
+ "data",
924
949
  // RCE produces target="_blank" for external links. Modern browsers treat
925
950
  // target="_blank" as implicit rel="noopener", and the backend allowlist
926
951
  // already includes target.
@@ -957,10 +982,10 @@ const Ni = /* @__PURE__ */ new Set([
957
982
  // confusion attacks where fragments like <svg> could influence parse context.
958
983
  FORCE_BODY: !0
959
984
  };
960
- let J = null;
985
+ let K = null;
961
986
  function Pi() {
962
- if (J) return J;
963
- J = typeof bt == "function" ? bt(window) : bt, J.addHook("afterSanitizeAttributes", (n) => {
987
+ if (K) return K;
988
+ K = typeof bt == "function" ? bt(window) : bt, K.addHook("afterSanitizeAttributes", (n) => {
964
989
  if (!(n instanceof Element) || !n.hasAttribute("style")) return;
965
990
  const i = n.style, s = [];
966
991
  for (let m = 0; m < i.length; m++) {
@@ -986,11 +1011,11 @@ function Pi() {
986
1011
  f && xi.test(f) && i.removeProperty(m);
987
1012
  }
988
1013
  i.length === 0 && n.removeAttribute("style");
989
- }), J.addHook("uponSanitizeAttribute", (n, i) => {
1014
+ }), K.addHook("uponSanitizeAttribute", (n, i) => {
990
1015
  if (!vi.has(i.attrName)) return;
991
1016
  const s = i.attrValue;
992
1017
  /^\s*\/\//.test(s) ? (i.attrValue = s.trimStart().replace(/^\/\//, "https://"), i.keepAttr = !0) : /^\s*\\/.test(s) && (i.keepAttr = !1);
993
- }), J.addHook("afterSanitizeAttributes", (n) => {
1018
+ }), K.addHook("afterSanitizeAttributes", (n) => {
994
1019
  if (!(n instanceof Element) || !n.hasAttribute("srcset")) return;
995
1020
  const i = (n.getAttribute("srcset") ?? "").split(","), s = (d) => d.trim().split(/\s+/)[0];
996
1021
  if (i.some((d) => /^\s*\\/.test(s(d)))) {
@@ -1006,22 +1031,26 @@ function Pi() {
1006
1031
  return d.slice(0, m) + "https://" + p.slice(2) + d.slice(m + p.length);
1007
1032
  });
1008
1033
  l && n.setAttribute("srcset", c.join(","));
1009
- }), J.addHook("afterSanitizeAttributes", (n) => {
1034
+ }), K.addHook("afterSanitizeAttributes", (n) => {
1010
1035
  var i;
1011
1036
  if (!(n instanceof Element) || n.tagName !== "A" && n.tagName !== "AREA" || ((i = n.getAttribute("target")) == null ? void 0 : i.toLowerCase()) !== "_blank") return;
1012
1037
  const s = n.getAttribute("rel") ?? "", l = new Set(s.split(/\s+/).filter(Boolean));
1013
1038
  l.add("noopener"), n.setAttribute("rel", [...l].join(" "));
1014
- }), J.addHook("afterSanitizeAttributes", (n) => {
1039
+ }), K.addHook("afterSanitizeAttributes", (n) => {
1015
1040
  if (!(n instanceof Element) || n.tagName !== "IFRAME" || !n.hasAttribute("sandbox")) return;
1016
1041
  const i = (n.getAttribute("sandbox") ?? "").toLowerCase().split(/\s+/).filter(Boolean), s = i.filter((l) => ki.has(l));
1017
1042
  s.length !== i.length && n.setAttribute("sandbox", s.join(" "));
1043
+ }), K.addHook("afterSanitizeAttributes", (n) => {
1044
+ if (!(n instanceof Element) || n.tagName !== "PARAM") return;
1045
+ const i = n.getAttribute("value");
1046
+ i && /^\s*(?:javascript|vbscript):/i.test(i) && n.removeAttribute("value");
1018
1047
  });
1019
1048
  const t = /* @__PURE__ */ new Set(["text/html", "application/xhtml+xml"]);
1020
- return J.addHook("afterSanitizeElements", (n) => {
1049
+ return K.addHook("afterSanitizeElements", (n) => {
1021
1050
  if (!(n instanceof Element) || n.tagName.toLowerCase() !== "annotation-xml") return;
1022
1051
  const i = (n.getAttribute("encoding") ?? "").toLowerCase().trim();
1023
1052
  t.has(i) && n.remove();
1024
- }), J;
1053
+ }), K;
1025
1054
  }
1026
1055
  function It(t, n) {
1027
1056
  if (typeof window > "u")
@@ -1400,7 +1429,7 @@ function Qi({
1400
1429
  }) {
1401
1430
  const c = q(), d = i ? c.submissionCurrentAttempt() : c.commentsAttempt({ number: t.attempt }), p = t.score != null && s != null ? `${t.score}/${s}` : null;
1402
1431
  return /* @__PURE__ */ r(
1403
- K,
1432
+ Z,
1404
1433
  {
1405
1434
  as: "div",
1406
1435
  padding: "small medium",
@@ -1460,7 +1489,7 @@ function wn({
1460
1489
  size: n = "medium"
1461
1490
  }) {
1462
1491
  return t.length === 0 ? null : /* @__PURE__ */ r(b, { direction: "column", gap: "x-small", children: t.map((i) => /* @__PURE__ */ r(
1463
- K,
1492
+ Z,
1464
1493
  {
1465
1494
  as: "div",
1466
1495
  padding: n === "small" ? "x-small" : "small medium",
@@ -1492,15 +1521,15 @@ function to({
1492
1521
  C.some((w) => w.id === I.id) || C.push(I);
1493
1522
  return C;
1494
1523
  }, [t]), h = qe(() => c((t == null ? void 0 : t.body) ?? ""), [t == null ? void 0 : t.body, c]);
1495
- return t ? /* @__PURE__ */ r(K, { as: "div", children: /* @__PURE__ */ S(b, { direction: "column", gap: "small", children: [
1524
+ return t ? /* @__PURE__ */ r(Z, { as: "div", children: /* @__PURE__ */ S(b, { direction: "column", gap: "small", children: [
1496
1525
  i && !n && t.attempt != null && /* @__PURE__ */ r(_, { size: "small", weight: "bold", color: "secondary", children: l.submissionViewingAttempt({ number: t.attempt }) }),
1497
1526
  /* @__PURE__ */ S(b, { gap: "x-small", alignItems: "center", children: [
1498
1527
  /* @__PURE__ */ r($n, { color: "success" }),
1499
1528
  /* @__PURE__ */ r(St, { level: "h3", children: m })
1500
1529
  ] }),
1501
1530
  d && t.body && /* @__PURE__ */ S(b, { alignItems: "stretch", gap: "small", children: [
1502
- /* @__PURE__ */ r(K, { as: "div", width: "4px", background: "primary", borderRadius: "small" }),
1503
- /* @__PURE__ */ r(K, { as: "div", children: /* @__PURE__ */ r(_, { children: h }) })
1531
+ /* @__PURE__ */ r(Z, { as: "div", width: "4px", background: "primary", borderRadius: "small" }),
1532
+ /* @__PURE__ */ r(Z, { as: "div", children: /* @__PURE__ */ r(_, { children: h }) })
1504
1533
  ] }),
1505
1534
  p && f.length > 0 && /* @__PURE__ */ r(wn, { attachments: f })
1506
1535
  ] }) }) : null;
@@ -1811,7 +1840,7 @@ function fo({
1811
1840
  var m;
1812
1841
  const s = q(), l = i ?? mo, c = ((m = t.author.courseRoles) == null ? void 0 : m.includes("StudentEnrollment")) ?? !1, d = qe(() => l(t.htmlComment), [t.htmlComment, l]);
1813
1842
  return /* @__PURE__ */ r(
1814
- K,
1843
+ Z,
1815
1844
  {
1816
1845
  as: "div",
1817
1846
  padding: "small medium",
@@ -2019,9 +2048,9 @@ function Wo({
2019
2048
  isOverdue: Ie
2020
2049
  }
2021
2050
  ),
2022
- h.description && /* @__PURE__ */ S(K, { as: "div", children: [
2051
+ h.description && /* @__PURE__ */ S(Z, { as: "div", children: [
2023
2052
  /* @__PURE__ */ r(St, { level: "h3", children: m.assignmentInstructions() }),
2024
- /* @__PURE__ */ r(K, { as: "div", margin: "small none large none", children: f(h.description) })
2053
+ /* @__PURE__ */ r(Z, { as: "div", margin: "small none large none", children: f(h.description) })
2025
2054
  ] }),
2026
2055
  /* @__PURE__ */ r(
2027
2056
  to,
@@ -2050,7 +2079,7 @@ function qo({
2050
2079
  }, C = p.map((w) => w.id), I = p.length > 0 && !c;
2051
2080
  return /* @__PURE__ */ S(b, { direction: "column", gap: "medium", children: [
2052
2081
  p.length > 0 && /* @__PURE__ */ r(b, { direction: "column", gap: "x-small", children: p.map((w) => /* @__PURE__ */ r(
2053
- K,
2082
+ Z,
2054
2083
  {
2055
2084
  as: "div",
2056
2085
  padding: "small",
@@ -2155,7 +2184,7 @@ function bo({
2155
2184
  }) {
2156
2185
  var m, f, h, C, I;
2157
2186
  const l = q(), c = ((m = t.content_details) == null ? void 0 : m.locked_for_user) ?? !1, d = (f = t.content_details) == null ? void 0 : f.lock_explanation, p = /* @__PURE__ */ r(
2158
- K,
2187
+ Z,
2159
2188
  {
2160
2189
  as: "div",
2161
2190
  padding: "small",
@@ -2202,7 +2231,7 @@ function Vo({
2202
2231
  /* @__PURE__ */ r(St, { level: "h3", children: h }),
2203
2232
  /* @__PURE__ */ r(Qn, { screenReaderLabel: f.navigationClosePanel(), onClick: s, size: "small", children: /* @__PURE__ */ r(qn, {}) })
2204
2233
  ] }),
2205
- /* @__PURE__ */ S(K, { as: "div", padding: "none small", overflowY: "auto", children: [
2234
+ /* @__PURE__ */ S(Z, { as: "div", padding: "none small", overflowY: "auto", children: [
2206
2235
  t.state === "locked" && /* @__PURE__ */ r(b, { padding: "none none small", children: /* @__PURE__ */ S(_t, { color: "warning", children: [
2207
2236
  /* @__PURE__ */ r(gn, {}),
2208
2237
  " ",
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@instructure/platform-assignment-review",
3
- "version": "0.4.16",
3
+ "version": "0.4.17",
4
4
  "type": "module",
5
5
  "main": "./dist/index.js",
6
6
  "module": "./dist/index.js",
@@ -39,7 +39,7 @@
39
39
  "graphql": "^16.0.0",
40
40
  "graphql-tag": "^2.12.0",
41
41
  "zod": "^3.23.8",
42
- "@instructure/platform-sanitize": "0.4.1"
42
+ "@instructure/platform-sanitize": "0.5.0"
43
43
  },
44
44
  "devDependencies": {
45
45
  "@testing-library/jest-dom": "^6.9.1",