From f4a38be80b494870ee4865120d99f8226f9671b6 Mon Sep 17 00:00:00 2001 From: Mathis-Z Date: Tue, 9 Jul 2024 10:24:47 +0200 Subject: [PATCH] Sanitizing exported html in LOM object description --- app/services/lom_service/export_lom.rb | 4 +- app/services/lom_service/nbp_scrubber.rb | 13 ++ .../lom_service/nbp_scrubber_allow_list.yml | 197 ++++++++++++++++++ 3 files changed, 213 insertions(+), 1 deletion(-) create mode 100644 app/services/lom_service/nbp_scrubber.rb create mode 100644 app/services/lom_service/nbp_scrubber_allow_list.yml diff --git a/app/services/lom_service/export_lom.rb b/app/services/lom_service/export_lom.rb index 723bc27e6..6c037c013 100644 --- a/app/services/lom_service/export_lom.rb +++ b/app/services/lom_service/export_lom.rb @@ -38,7 +38,9 @@ def oml_general(xml) end xml.language @task.iso639_lang xml.description do - xml.string ApplicationController.helpers.render_markdown(@task.description), language: @task.iso639_lang + html_fragment = Loofah.fragment(ApplicationController.helpers.render_markdown(@task.description)) + html_fragment.scrub!(NbpScrubber.new) + xml.string html_fragment.to_s, language: @task.iso639_lang end if @task.programming_language&.language.present? xml.keyword do diff --git a/app/services/lom_service/nbp_scrubber.rb b/app/services/lom_service/nbp_scrubber.rb new file mode 100644 index 000000000..f2c4b2125 --- /dev/null +++ b/app/services/lom_service/nbp_scrubber.rb @@ -0,0 +1,13 @@ +# frozen_string_literal: true + +module LomService + class NbpScrubber < Rails::HTML::PermitScrubber + ALLOW_LIST = YAML.safe_load_file(Rails.root.join('app/services/lom_service/nbp_scrubber_allow_list.yml')) + + def initialize + super + self.tags = ALLOW_LIST['tags'] + self.attributes = ALLOW_LIST['attributes'] + end + end +end diff --git a/app/services/lom_service/nbp_scrubber_allow_list.yml b/app/services/lom_service/nbp_scrubber_allow_list.yml new file mode 100644 index 000000000..5707e1779 --- /dev/null +++ b/app/services/lom_service/nbp_scrubber_allow_list.yml @@ -0,0 +1,197 @@ +--- +tags: + - a + - abbr + - acronym + - address + - area + - article + - aside + - b + - bdi + - big + - blockquote + - body + - br + - button + - caption + - center + - cite + - code + - col + - colgroup + - data + - datalist + - dd + - del + - details + - dfn + - dir + - div + - dl + - dt + - em + - fieldset + - figcaption + - figure + - font + - footer + - form + - h1 + - h2 + - h3 + - h4 + - h5 + - h6 + - head + - header + - hr + - html + - i + - img + - input + - ins + - kbd + - keygen + - label + - legend + - li + - main + - map + - mark + - menu + - menuitem + - meter + - nav + - ol + - optgroup + - option + - output + - p + - pre + - progress + - q + - rp + - rt + - ruby + - s + - samp + - section + - select + - small + - span + - strike + - strong + - sub + - summary + - sup + - table + - tbody + - td + - textarea + - tfoot + - th + - thead + - time + - tr + - tt + - u + - ul + - var + - wbr +attributes: + - abbr + - accept-charset + - accept + - accesskey + - action + - align + - alt + - autocomplete + - autosave + - axis + - bgcolor + - border + - cellpadding + - cellspacing + - challenge + - char + - charoff + - charset + - checked + - cite + - clear + - color + - cols + - colspan + - compact + - contenteditable + - coords + - datetime + - dir + - disabled + - draggable + - dropzone + - enctype + - for + - frame + - headers + - height + - high + - href + - hreflang + - hspace + - ismap + - keytype + - label + - lang + - list + - longdesc + - low + - max + - maxlength + - media + - method + - min + - multiple + - name + - nohref + - noshade + - novalidate + - nowrap + - open + - optimum + - pattern + - placeholder + - prompt + - pubdate + - radiogroup + - readonly + - rel + - required + - rev + - reversed + - rows + - rowspan + - rules + - scope + - selected + - shape + - size + - span + - spellcheck + - src + - start + - step + - style + - summary + - tabindex + - target + - title + - type + - usemap + - valign + - value + - vspace + - width + - wrap