Sanitizing exported html in LOM object description

openHPI · Jul 10, 2024 · 2bce870 · 2bce870
1 parent d7757c3
commit 2bce870
Show file tree

Hide file tree

Showing 4 changed files with 225 additions and 1 deletion.
diff --git a/Gemfile.lock b/Gemfile.lock
@@ -154,6 +154,8 @@ GEM
     docile (1.4.0)
     drb (2.2.1)
     erubi (1.13.0)
+    et-orbi (1.2.11)
+      tzinfo
     event_stream_parser (1.0.0)
     execjs (2.9.1)
     factory_bot (6.4.6)
@@ -169,6 +171,9 @@ GEM
     faraday-net_http (3.1.0)
       net-http
     ffi (1.17.0)
+    fugit (1.11.0)
+      et-orbi (~> 1, >= 1.2.11)
+      raabro (~> 1.4)
     glob (0.4.1)
     globalid (1.2.1)
       activesupport (>= 6.1)
@@ -326,6 +331,7 @@ GEM
       rspec-expectations (~> 3.12)
       rspec-mocks (~> 3.12)
       rspec-support (~> 3.12)
+    raabro (1.4.0)
     racc (1.8.0)
     rack (3.1.6)
     rack-mini-profiler (3.3.1)
@@ -521,6 +527,12 @@ GEM
     slim_lint (0.27.0)
       rubocop (>= 1.0, < 2.0)
       slim (>= 3.0, < 6.0)
+    solid_queue (0.3.3)
+      activejob (>= 7.1)
+      activerecord (>= 7.1)
+      concurrent-ruby (>= 1.3.1)
+      fugit (~> 1.11.0)
+      railties (>= 7.1)
     sorted_set (1.0.3)
       rbtree
       set (~> 1.0)
@@ -653,6 +665,7 @@ DEPENDENCIES
   simplecov
   slim-rails
   slim_lint
+  solid_queue
   sprockets-rails
   stackprof
   terser

diff --git a/app/services/lom_service/export_lom.rb b/app/services/lom_service/export_lom.rb
@@ -38,7 +38,9 @@ def oml_general(xml)
         end
         xml.language @task.iso639_lang
         xml.description do
-          xml.string ApplicationController.helpers.render_markdown(@task.description), language: @task.iso639_lang
+          html_fragment = Loofah.fragment(ApplicationController.helpers.render_markdown(@task.description))
+          html_fragment.scrub!(NbpScrubber.new)
+          xml.string html_fragment.to_s, language: @task.iso639_lang
         end
         if @task.programming_language&.language.present?
           xml.keyword do

diff --git a/app/services/lom_service/nbp_scrubber.rb b/app/services/lom_service/nbp_scrubber.rb
@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+module LomService
+  class NbpScrubber < Rails::HTML::PermitScrubber
+    ALLOW_LIST = YAML.safe_load_file(Rails.root.join('app/services/lom_service/nbp_scrubber_allow_list.yml'))
+    def initialize
+      super
+      self.tags = ALLOW_LIST['tags']
+      self.attributes = ALLOW_LIST['attributes']
+    end
+  end
+end
diff --git a/app/services/lom_service/nbp_scrubber_allow_list.yml b/app/services/lom_service/nbp_scrubber_allow_list.yml
@@ -0,0 +1,197 @@
+---
+tags:
+  - a
+  - abbr
+  - acronym
+  - address
+  - area
+  - article
+  - aside
+  - b
+  - bdi
+  - big
+  - blockquote
+  - body
+  - br
+  - button
+  - caption
+  - center
+  - cite
+  - code
+  - col
+  - colgroup
+  - data
+  - datalist
+  - dd
+  - del
+  - details
+  - dfn
+  - dir
+  - div
+  - dl
+  - dt
+  - em
+  - fieldset
+  - figcaption
+  - figure
+  - font
+  - footer
+  - form
+  - h1
+  - h2
+  - h3
+  - h4
+  - h5
+  - h6
+  - head
+  - header
+  - hr
+  - html
+  - i
+  - img
+  - input
+  - ins
+  - kbd
+  - keygen
+  - label
+  - legend
+  - li
+  - main
+  - map
+  - mark
+  - menu
+  - menuitem
+  - meter
+  - nav
+  - ol
+  - optgroup
+  - option
+  - output
+  - p
+  - pre
+  - progress
+  - q
+  - rp
+  - rt
+  - ruby
+  - s
+  - samp
+  - section
+  - select
+  - small
+  - span
+  - strike
+  - strong
+  - sub
+  - summary
+  - sup
+  - table
+  - tbody
+  - td
+  - textarea
+  - tfoot
+  - th
+  - thead
+  - time
+  - tr
+  - tt
+  - u
+  - ul
+  - var
+  - wbr
+attributes:
+  - abbr
+  - accept-charset
+  - accept
+  - accesskey
+  - action
+  - align
+  - alt
+  - autocomplete
+  - autosave
+  - axis
+  - bgcolor
+  - border
+  - cellpadding
+  - cellspacing
+  - challenge
+  - char
+  - charoff
+  - charset
+  - checked
+  - cite
+  - clear
+  - color
+  - cols
+  - colspan
+  - compact
+  - contenteditable
+  - coords
+  - datetime
+  - dir
+  - disabled
+  - draggable
+  - dropzone
+  - enctype
+  - for
+  - frame
+  - headers
+  - height
+  - high
+  - href
+  - hreflang
+  - hspace
+  - ismap
+  - keytype
+  - label
+  - lang
+  - list
+  - longdesc
+  - low
+  - max
+  - maxlength
+  - media
+  - method
+  - min
+  - multiple
+  - name
+  - nohref
+  - noshade
+  - novalidate
+  - nowrap
+  - open
+  - optimum
+  - pattern
+  - placeholder
+  - prompt
+  - pubdate
+  - radiogroup
+  - readonly
+  - rel
+  - required
+  - rev
+  - reversed
+  - rows
+  - rowspan
+  - rules
+  - scope
+  - selected
+  - shape
+  - size
+  - span
+  - spellcheck
+  - src
+  - start
+  - step
+  - style
+  - summary
+  - tabindex
+  - target
+  - title
+  - type
+  - usemap
+  - valign
+  - value
+  - vspace
+  - width
+  - wrap