Sanitize webcontent and discussion #3
Conversation
| ${ | ||
| typeof page.content === "string" | ||
| ? DOMPurify.sanitize(page.content) | ||
| : page.content |
There was a problem hiding this comment.
When would it be that it's not a string?
There was a problem hiding this comment.
imscc-packager/src/imscc/types.ts
Line 66 in a5583dd
when it's an assessment
There was a problem hiding this comment.
do those sections also have HTML?
There was a problem hiding this comment.
e.g.
const sanitizeAnswer = <T extends Answer>(answer: T) => ({
...answer,
text: sanitize(answer.text)
});
const sanitizeAnswerArray = <T extends Answer>(answers: T[] | undefined) => answers ? answers.map(sanitizeAnswer) : undefined;
const sanitizeMatches = (matches: Match[] | undefined) => matches ?
matches.map((match) => ({
pair: [sanitizeAnswer(match.pair[0]), sanitizeAnswer(match.pair[1])]
})): undefined;
const sanitize = (content: string | Section[]) => {
if (typeof content === "string") {
return DOMPurify.sanitize(content);
} else {
const sanitizedSection = content.map((section) => ({
...section,
title: sanitize(section.title),
question: sanitize(section.question),
answers: sanitizeAnswerArray(section.answers),
choices: sanitizeAnswerArray(section.choices),
matches: sanitizeMatches(section.matches)
}));
return sanitizedSection;
}
}There was a problem hiding this comment.
Note: any user editable field that could possibly be reflected back to a user as HTML needs to be sanitized
There was a problem hiding this comment.
do those sections also have HTML?
yes, only questions that can be in html format. currently i sanitized the question in coursemagic side because it's in escaped format, i sanitze it before escaping it. should the imscc-packger be the one that responsible for sanitizing the html?
No description provided.