Merge pull request #169 from edx/aj/sec-fix-capa

SECURITY FIX : Fix CAPA Problems
2020-02-13 13:52:29 +05:00
parent 49be02a052 bcb2038843
commit eaaebc6d93
2 changed files with 18 additions and 0 deletions
--- a/common/lib/capa/capa/capa_problem.py
+++ b/common/lib/capa/capa/capa_problem.py
@@ -64,6 +64,7 @@ html_transforms = {

 # These should be removed from HTML output, including all subelements
 html_problem_semantics = [
+    "additional_answer",
    "codeparam",
    "responseparam",
    "answer",
--- a/common/lib/capa/capa/tests/test_capa_problem.py
+++ b/common/lib/capa/capa/tests/test_capa_problem.py
@@ -190,6 +190,23 @@ class CAPAProblemTest(unittest.TestCase):
            }
        )

+    def test_additional_answer_is_skipped_from_resulting_html(self):
+        """Tests that additional_answer element is not present in transformed HTML"""
+        xml = """
+        <problem>
+            <p>Be sure to check your spelling.</p>
+            <stringresponse answer="War" type="ci">
+                <label>___ requires sacrifices.</label>
+                <description>Anyone who looks the world as if it was a game of chess deserves to lose.</description>
+                <additional_answer answer="optional acceptable variant of the correct answer"/>
+                <textline size="40"/>
+            </stringresponse>
+        </problem>
+        """
+        problem = new_loncapa_problem(xml)
+        self.assertEqual(len(problem.extracted_tree.xpath('//additional_answer')), 0)
+        self.assertNotIn('additional_answer', problem.get_html())
+
    def test_non_accessible_inputtype(self):
        """
        Verify that tag with question text is not removed when inputtype is not fully accessible.