Perhaps properly sanitize js

a5daf1f3 · Vik Paruchuri · 6425a519 · a5daf1f3 · a5daf1f3
Commit a5daf1f3 authored Jan 24, 2013 by Vik Paruchuri
Hide whitespace changes
Inline Side-by-side

Showing with 8 additions and 0 deletions

common/lib/xmodule/xmodule/open_ended_module.py
+1 -0

common/lib/xmodule/xmodule/openendedchild.py
+7 -0

No files found.
--- a/common/lib/xmodule/xmodule/open_ended_module.py
+++ b/common/lib/xmodule/xmodule/open_ended_module.py
@@ -554,6 +554,7 @@ class OpenEndedModule(openendedchild.OpenEndedChild):

        # add new history element with answer and empty score and hint.
        self.new_history_entry(get['student_answer'])
+        get['student_answer'] = self.sanitize_html(get['student_answer'])
        self.send_to_grader(get['student_answer'], system)
        self.change_state(self.ASSESSING)


--- a/common/lib/xmodule/xmodule/openendedchild.py
+++ b/common/lib/xmodule/xmodule/openendedchild.py
@@ -5,6 +5,7 @@ import json
 import logging
 from lxml import etree
 from lxml.html import rewrite_links
+from lxml.html.clean import Cleaner
 from path import path
 import os
 import sys
@@ -130,12 +131,18 @@ class OpenEndedChild(object):
            return ""
        return self.history[-1].get('post_assessment', "")

+    def sanitize_html(self, answer):
+        cleaner = Cleaner(style=True, links=True, add_nofollow=True, page_structure=True, safe_attrs_only=True)
+        clean_html = cleaner.clean_html(answer)
+        return clean_html
+
    def new_history_entry(self, answer):
        """
        Adds a new entry to the history dictionary
        @param answer: The student supplied answer
        @return: None
        """
+        answer = self.sanitize_html(answer)
        self.history.append({'answer': answer})

    def record_latest_score(self, score):