Improve escaping in code response.

97e8f943 · Alexander Kryklia · e6a9047f · 97e8f943 · 97e8f943 · 97e8f943
Commit 97e8f943 authored Jun 03, 2014 by Alexander Kryklia
Hide whitespace changes
Inline Side-by-side

Showing with 61 additions and 17 deletions

common/lib/capa/capa/inputtypes.py
+3 -13

common/lib/capa/capa/tests/test_inputtypes.py
+10 -0

common/lib/capa/capa/tests/test_util.py
+19 -3

common/lib/capa/capa/util.py
+29 -1

No files found.
--- a/common/lib/capa/capa/inputtypes.py
+++ b/common/lib/capa/capa/inputtypes.py
@@ -50,6 +50,7 @@ import pyparsing
 import html5lib
 import bleach

+from .util import sanitize_html
 from .registry import TagRegistry
 from chem import chemcalc
 from calc.preview import latex_preview
@@ -821,19 +822,7 @@ class MatlabInput(CodeInput):
        # this is only set if we don't have a graded response
        # the graded response takes precedence
        if 'queue_msg' in self.input_state and self.status in ['queued', 'incomplete', 'unsubmitted']:
-            attributes = bleach.ALLOWED_ATTRIBUTES.copy()
-            # Yuck! but bleach does not offer the option of passing in allowed_protocols,
-            # and matlab uses data urls for images
-            if u'data' not in bleach.BleachSanitizer.allowed_protocols:
-                bleach.BleachSanitizer.allowed_protocols.append(u'data')
-            attributes.update({'*': ['class', 'style', 'id'],
-                    'audio': ['controls', 'autobuffer', 'autoplay', 'src'],
-                    'img': ['src', 'width', 'height', 'class']})
-            self.queue_msg = bleach.clean(self.input_state['queue_msg'],
-                    tags=bleach.ALLOWED_TAGS + ['div', 'p', 'audio', 'pre', 'img', 'span'],
-                    styles=['white-space'],
-                    attributes=attributes
-                    )
+            self.queue_msg = sanitize_html(self.input_state['queue_msg'])

        if 'queuestate' in self.input_state and self.input_state['queuestate'] == 'queued':
            self.status = 'queued'
@@ -905,6 +894,7 @@ class MatlabInput(CodeInput):
            'button_enabled': self.button_enabled(),
            'matlab_editor_js': '{static_url}js/vendor/CodeMirror/octave.js'.format(
                static_url=self.capa_system.STATIC_URL),
+            'msg': sanitize_html(self.msg)  # sanitize msg before rendering into template
        }
        return extra_context


--- a/common/lib/capa/capa/tests/test_inputtypes.py
+++ b/common/lib/capa/capa/tests/test_inputtypes.py
@@ -757,6 +757,16 @@ class MatlabTest(unittest.TestCase):
        expected = "&lt;script&gt;Test message&lt;/script&gt;"
        self.assertEqual(the_input.queue_msg, expected)

+    def test_matlab_sanitize_msg(self):
+        """
+        Check that the_input.msg is sanitized.
+        """
+        not_allowed_tag = 'script'
+        self.the_input.msg = "<{0}>Test message</{0}>".format(not_allowed_tag)
+        expected = "&lt;script&gt;Test message&lt;/script&gt;"
+        self.assertEqual(self.the_input._get_render_context()['msg'], expected)
+
+
 def html_tree_equal(received, expected):
    """
    Returns whether two etree Elements are the same, with insensitivity to attribute order.

--- a/common/lib/capa/capa/tests/test_util.py
+++ b/common/lib/capa/capa/tests/test_util.py
-"""Tests capa util"""
-
+"""
+Tests capa util
+"""
 import unittest
 import textwrap
 from . import test_capa_system
-from capa.util import compare_with_tolerance
+from capa.util import compare_with_tolerance, sanitize_html


 class UtilTest(unittest.TestCase):
@@ -80,3 +81,18 @@ class UtilTest(unittest.TestCase):
        self.assertFalse(result)
        result = compare_with_tolerance(infinity, infinity, '1.0', False)
        self.assertTrue(result)
+
+
+    def test_sanitize_html(self):
+        """
+        Test for html sanitization with bleach.
+        """
+        allowed_tags = ['div', 'p', 'audio', 'pre', 'span']
+        for tag in allowed_tags:
+            queue_msg = "<{0}>Test message</{0}>".format(tag)
+            self.assertEqual(sanitize_html(queue_msg), queue_msg)
+
+        not_allowed_tag = 'script'
+        queue_msg = "<{0}>Test message</{0}>".format(not_allowed_tag)
+        expected = "&lt;script&gt;Test message&lt;/script&gt;"
+        self.assertEqual(sanitize_html(queue_msg), expected)
--- a/common/lib/capa/capa/util.py
+++ b/common/lib/capa/capa/util.py
+"""
+Utility functions for capa.
+"""
+import bleach
+
 from calc import evaluator
 from cmath import isinf
-
 #-----------------------------------------------------------------------------
 #
 # Utility functions used in CAPA responsetypes
@@ -134,3 +138,27 @@ def find_with_default(node, path, default):
        return v.text
    else:
        return default
+
+
+def sanitize_html(html_code):
+    """
+    Sanitize html_code for safe embed on LMS pages.
+
+    Used to sanitize XQueue responses from Matlab.
+    """
+    attributes = bleach.ALLOWED_ATTRIBUTES.copy()
+    # Yuck! but bleach does not offer the option of passing in allowed_protocols,
+    # and matlab uses data urls for images
+    if u'data' not in bleach.BleachSanitizer.allowed_protocols:
+        bleach.BleachSanitizer.allowed_protocols.append(u'data')
+    attributes.update({
+        '*': ['class', 'style', 'id'],
+        'audio': ['controls', 'autobuffer', 'autoplay', 'src'],
+        'img': ['src', 'width', 'height', 'class']
+    })
+    output = bleach.clean(html_code,
+        tags=bleach.ALLOWED_TAGS + ['div', 'p', 'audio', 'pre', 'img', 'span'],
+        styles=['white-space'],
+        attributes=attributes
+    )
+    return output