-
Notifications
You must be signed in to change notification settings - Fork 131
Research: user-defined surveys #713
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: master
Are you sure you want to change the base?
Conversation
…srf, tested freeresponse and thumb surveys
Current to-do list:
Note: I removed the foreign key constraints from the survey responses table since I think there's no situation where we'd ever want to modify the data that's already in the table. Queries to this table can be done by manually checking if challenge/dojo/user match. This fixes the cascading deletes problem when updating a dojo. |
reminder to self to fix load_surveys so it loads the html into survey.src directly |
This branch should be ready for review now. I've tested existing dojos with no issues, and I've made multiple example surveys in my fork of example-dojo (https://github.com/2stinkysocks/example-dojo). These examples can probably added to documentation later. Surveys can be defined in yml by either providing a src (file path inside the directory specified by survey-sources), or data (the actual html data of the survey). Surveys are embedded into an html form that will make a request to the survey submit endpoint when the form is submitted, or alternatively submitted through a single click by specifying data-form-submit on a tag. Currently surveys are stored in the db at a challenge-level (but can be defined in yml at challenge, module, or dojo level), and are sanitized before they are inserted into the db. Sanitization is done on a whitelist-basis; allowed html/css attributes can be found under sanitize_survey in dojo_plugin/utils/__init__.py. There is currently no way to view survey responses in the frontend, it is just stored in the survey_responses table for now. I was unable to find any way to exploit this system with xss, I doubt this is possible but it would be helpful to have some external feedback. |
|
Some initial changes for user-defined surveys. Currently css is NOT sanitized, this needs to be changed before merging. Also need to test whether stylesheets within the surveys will conflict with each other and do some more thorough testing.
This is implemented by using bleach to sanitize survey html before it's inserted into the db, then rendering it inside a form. I also implemented a custom attribute that can be used by surveys to instantly submit onclick with a specified value (ex: thumbs up/down in a single click).