From a5daf1f34defc37a4d88feb6f71247f2a61fdc70 Mon Sep 17 00:00:00 2001 From: Vik Paruchuri Date: Thu, 24 Jan 2013 13:44:48 -0500 Subject: [PATCH] Perhaps properly sanitize js --- common/lib/xmodule/xmodule/open_ended_module.py | 1 + common/lib/xmodule/xmodule/openendedchild.py | 7 +++++++ 2 files changed, 8 insertions(+) diff --git a/common/lib/xmodule/xmodule/open_ended_module.py b/common/lib/xmodule/xmodule/open_ended_module.py index c17f95a360..02059dca1a 100644 --- a/common/lib/xmodule/xmodule/open_ended_module.py +++ b/common/lib/xmodule/xmodule/open_ended_module.py @@ -554,6 +554,7 @@ class OpenEndedModule(openendedchild.OpenEndedChild): # add new history element with answer and empty score and hint. self.new_history_entry(get['student_answer']) + get['student_answer'] = self.sanitize_html(get['student_answer']) self.send_to_grader(get['student_answer'], system) self.change_state(self.ASSESSING) diff --git a/common/lib/xmodule/xmodule/openendedchild.py b/common/lib/xmodule/xmodule/openendedchild.py index 62d203987a..f2cc2ae295 100644 --- a/common/lib/xmodule/xmodule/openendedchild.py +++ b/common/lib/xmodule/xmodule/openendedchild.py @@ -5,6 +5,7 @@ import json import logging from lxml import etree from lxml.html import rewrite_links +from lxml.html.clean import Cleaner from path import path import os import sys @@ -130,12 +131,18 @@ class OpenEndedChild(object): return "" return self.history[-1].get('post_assessment', "") + def sanitize_html(self, answer): + cleaner = Cleaner(style=True, links=True, add_nofollow=True, page_structure=True, safe_attrs_only=True) + clean_html = cleaner.clean_html(answer) + return clean_html + def new_history_entry(self, answer): """ Adds a new entry to the history dictionary @param answer: The student supplied answer @return: None """ + answer = self.sanitize_html(answer) self.history.append({'answer': answer}) def record_latest_score(self, score):