Sanitizing exported html in LOM object description

openHPI · Jul 27, 2024 · f4a38be · f4a38be
1 parent dcb0451
commit f4a38be
Show file tree

Hide file tree

Showing 3 changed files with 213 additions and 1 deletion.
diff --git a/app/services/lom_service/export_lom.rb b/app/services/lom_service/export_lom.rb
@@ -38,7 +38,9 @@ def oml_general(xml)
         end
         xml.language @task.iso639_lang
         xml.description do
-          xml.string ApplicationController.helpers.render_markdown(@task.description), language: @task.iso639_lang
+          html_fragment = Loofah.fragment(ApplicationController.helpers.render_markdown(@task.description))
+          html_fragment.scrub!(NbpScrubber.new)
+          xml.string html_fragment.to_s, language: @task.iso639_lang
         end
         if @task.programming_language&.language.present?
           xml.keyword do

diff --git a/app/services/lom_service/nbp_scrubber.rb b/app/services/lom_service/nbp_scrubber.rb
@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+module LomService
+  class NbpScrubber < Rails::HTML::PermitScrubber
+    ALLOW_LIST = YAML.safe_load_file(Rails.root.join('app/services/lom_service/nbp_scrubber_allow_list.yml'))
+
+    def initialize
+      super
+      self.tags = ALLOW_LIST['tags']
+      self.attributes = ALLOW_LIST['attributes']
+    end
+  end
+end
diff --git a/app/services/lom_service/nbp_scrubber_allow_list.yml b/app/services/lom_service/nbp_scrubber_allow_list.yml
@@ -0,0 +1,197 @@
+---
+tags:
+  - a
+  - abbr
+  - acronym
+  - address
+  - area
+  - article
+  - aside
+  - b
+  - bdi
+  - big
+  - blockquote
+  - body
+  - br
+  - button
+  - caption
+  - center
+  - cite
+  - code
+  - col
+  - colgroup
+  - data
+  - datalist
+  - dd
+  - del
+  - details
+  - dfn
+  - dir
+  - div
+  - dl
+  - dt
+  - em
+  - fieldset
+  - figcaption
+  - figure
+  - font
+  - footer
+  - form
+  - h1
+  - h2
+  - h3
+  - h4
+  - h5
+  - h6
+  - head
+  - header
+  - hr
+  - html
+  - i
+  - img
+  - input
+  - ins
+  - kbd
+  - keygen
+  - label
+  - legend
+  - li
+  - main
+  - map
+  - mark
+  - menu
+  - menuitem
+  - meter
+  - nav
+  - ol
+  - optgroup
+  - option
+  - output
+  - p
+  - pre
+  - progress
+  - q
+  - rp
+  - rt
+  - ruby
+  - s
+  - samp
+  - section
+  - select
+  - small
+  - span
+  - strike
+  - strong
+  - sub
+  - summary
+  - sup
+  - table
+  - tbody
+  - td
+  - textarea
+  - tfoot
+  - th
+  - thead
+  - time
+  - tr
+  - tt
+  - u
+  - ul
+  - var
+  - wbr
+attributes:
+  - abbr
+  - accept-charset
+  - accept
+  - accesskey
+  - action
+  - align
+  - alt
+  - autocomplete
+  - autosave
+  - axis
+  - bgcolor
+  - border
+  - cellpadding
+  - cellspacing
+  - challenge
+  - char
+  - charoff
+  - charset
+  - checked
+  - cite
+  - clear
+  - color
+  - cols
+  - colspan
+  - compact
+  - contenteditable
+  - coords
+  - datetime
+  - dir
+  - disabled
+  - draggable
+  - dropzone
+  - enctype
+  - for
+  - frame
+  - headers
+  - height
+  - high
+  - href
+  - hreflang
+  - hspace
+  - ismap
+  - keytype
+  - label
+  - lang
+  - list
+  - longdesc
+  - low
+  - max
+  - maxlength
+  - media
+  - method
+  - min
+  - multiple
+  - name
+  - nohref
+  - noshade
+  - novalidate
+  - nowrap
+  - open
+  - optimum
+  - pattern
+  - placeholder
+  - prompt
+  - pubdate
+  - radiogroup
+  - readonly
+  - rel
+  - required
+  - rev
+  - reversed
+  - rows
+  - rowspan
+  - rules
+  - scope
+  - selected
+  - shape
+  - size
+  - span
+  - spellcheck
+  - src
+  - start
+  - step
+  - style
+  - summary
+  - tabindex
+  - target
+  - title
+  - type
+  - usemap
+  - valign
+  - value
+  - vspace
+  - width
+  - wrap