HTML output not escaped

Question

HTML output not escaped

Opened this issue 9 years ago · 2 comments

Thank you for a great tool which makes testing LTI simple!

I noticed that the values printed in assessment.erb are not escaped. This will cause issues if you test agains e.g. Moodle which uses JSON for sourcedid. Anyway I think the tool should escape the html output using e.g. Rack::Utils.escape_html(text)

Answer 1 · 2015-12-16T21:29:07.000Z

JSON sourcedid? That's cool. Think you could paste an example value that is sent for us to test with?

Answer 2 · 2015-12-17T08:34:31.000Z

Of course, the HTML looks like this with no escaping:

<input type="hidden" name="launch_params[lis_result_sourcedid]" value="{"data":{"instanceid":"1","userid":"2","launchid":1232306510},"hash":"e26bada8e76f271680d3d014237fc54cfe747d7621589df128c6a5b0c71c6b33"}" />

I guess simply replacing " with " in the value would be enough.

I'm testing agains the latest Moodle 2.7.