Skip to content

Research: user-defined surveys #713

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 11 commits into
base: master
Choose a base branch
from

Conversation

2stinkysocks
Copy link
Contributor

Some initial changes for user-defined surveys. Currently css is NOT sanitized, this needs to be changed before merging. Also need to test whether stylesheets within the surveys will conflict with each other and do some more thorough testing.

This is implemented by using bleach to sanitize survey html before it's inserted into the db, then rendering it inside a form. I also implemented a custom attribute that can be used by surveys to instantly submit onclick with a specified value (ex: thumbs up/down in a single click).

@2stinkysocks
Copy link
Contributor Author

2stinkysocks commented Jun 10, 2025

Current to-do list:

  • HTML/CSS sanitization
  • Prevent survey styles from affecting rest of site
  • HTML Form implementation
  • One-click submit js implementation
  • CSRF prevention for survey submissions
  • Tested thumbs up/down surveys
  • Tested free-response surveys
  • Tested multiple choice surveys
  • Updating dojo shouldn't clear survey responses
  • Tested possible exploits
  • Verified non-survey challenges are unaffected
  • Better/more polished method for inputting survey data

Note: I removed the foreign key constraints from the survey responses table since I think there's no situation where we'd ever want to modify the data that's already in the table. Queries to this table can be done by manually checking if challenge/dojo/user match. This fixes the cascading deletes problem when updating a dojo.

@2stinkysocks
Copy link
Contributor Author

reminder to self to fix load_surveys so it loads the html into survey.src directly

@2stinkysocks 2stinkysocks marked this pull request as ready for review July 2, 2025 22:43
@2stinkysocks
Copy link
Contributor Author

2stinkysocks commented Jul 2, 2025

This branch should be ready for review now. I've tested existing dojos with no issues, and I've made multiple example surveys in my fork of example-dojo (https://github.com/2stinkysocks/example-dojo). These examples can probably added to documentation later.

Surveys can be defined in yml by either providing a src (file path inside the directory specified by survey-sources), or data (the actual html data of the survey).

Surveys are embedded into an html form that will make a request to the survey submit endpoint when the form is submitted, or alternatively submitted through a single click by specifying data-form-submit on a tag.

Currently surveys are stored in the db at a challenge-level (but can be defined in yml at challenge, module, or dojo level), and are sanitized before they are inserted into the db. Sanitization is done on a whitelist-basis; allowed html/css attributes can be found under sanitize_survey in dojo_plugin/utils/__init__.py.

There is currently no way to view survey responses in the frontend, it is just stored in the survey_responses table for now.

I was unable to find any way to exploit this system with xss, I doubt this is possible but it would be helpful to have some external feedback.

@ConnorNelson
Copy link
Member

  • NOTE: foreign keys deleted to handle the dojo delete/recreate problem when we do an update (which wipes everything out).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants