Research: user-defined surveys

[2stinkysocks]

Some initial changes for user-defined surveys. Currently css is NOT sanitized, this needs to be changed before merging. Also need to test whether stylesheets within the surveys will conflict with each other and do some more thorough testing.

This is implemented by using bleach to sanitize survey html before it's inserted into the db, then rendering it inside a form. I also implemented a custom attribute that can be used by surveys to instantly submit onclick with a specified value (ex: thumbs up/down in a single click).

[2stinkysocks]

Current to-do list:

• HTML/CSS sanitization
• Prevent survey styles from affecting rest of site
• HTML Form implementation
• One-click submit js implementation
• CSRF prevention for survey submissions
• Tested thumbs up/down surveys
• Tested free-response surveys
• Tested multiple choice surveys
• Updating dojo shouldn't clear survey responses
• Tested possible exploits
• Verified non-survey challenges are unaffected
• Better/more polished method for inputting survey data

Note: I removed the foreign key constraints from the survey responses table since I think there's no situation where we'd ever want to modify the data that's already in the table. Queries to this table can be done by manually checking if challenge/dojo/user match. This fixes the cascading deletes problem when updating a dojo.

[2stinkysocks]

reminder to self to fix load_surveys so it loads the html into survey.src directly

[2stinkysocks]

This branch should be ready for review now. I've tested existing dojos with no issues, and I've made multiple example surveys in my fork of example-dojo (https://github.com/2stinkysocks/example-dojo). These examples can probably added to documentation later.

Surveys can be defined in yml by either providing a src (file path inside the directory specified by survey-sources), or data (the actual html data of the survey).

Surveys are embedded into an html form that will make a request to the survey submit endpoint when the form is submitted, or alternatively submitted through a single click by specifying data-form-submit on a tag.

Currently surveys are stored in the db at a challenge-level (but can be defined in yml at challenge, module, or dojo level), and are sanitized before they are inserted into the db. Sanitization is done on a whitelist-basis; allowed html/css attributes can be found under sanitize_survey in dojo_plugin/utils/__init__.py.

There is currently no way to view survey responses in the frontend, it is just stored in the survey_responses table for now.

I was unable to find any way to exploit this system with xss, I doubt this is possible but it would be helpful to have some external feedback.

[ConnorNelson]

• NOTE: foreign keys deleted to handle the dojo delete/recreate problem when we do an update (which wipes everything out).