Skip to content

Render MathML in QTI questions generated by Studio #13668

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: release-v0.18.x
Choose a base branch
from
Open

Render MathML in QTI questions generated by Studio #13668

wants to merge 1 commit into from

Conversation

rtibbles
Copy link
Member

Summary

  • In our QTI question generation on Studio for any formulae, we leverage the MathML semantics element to preserve the original LaTeX of the expression.
  • Unfortunately, DOMPurify santiizes out semantics elements due to XSS vulnerabilities associated with its annotation elements.
  • We allow the semantics element to be retained here, but don't allow the annotation elements to be preserved - this slightly messes with the point of preserving the LaTeX as an annotation, but if we do need it in future, we can do some more precise filtering to allow that through will still disallowing any other encoding.
  • Adds some basic styling for MathML.

References

Fixes #13667

Reviewer guidance

image

Import a survey with a free response question and formula content into Kolibri and observe that the formula is now properly renderered.

Open question - the alternative here is to just remove the annotation completely from the Studio side - I don't think allowing semantics in this way opens us up to an XSS, but we would have to do some extra work to specifically allow the LaTeX annotation to be retained during santization.

@rtibbles
Allow semantics tag in MathML, but avoid XSS issues by not allowing a…
9700da5 
…ny child annotation elements still.

Add some basic styling for MathML.
@github-actions GitHub Actions
Copy link
Contributor

Build Artifacts

Asset type Download link
PEX file kolibri-0.18.2a0.dev0_git.2.g06bf89d2.pex
Windows Installer (EXE) kolibri-0.18.2a0.dev0+git.2.g06bf89d2-windows-setup-unsigned.exe
Debian Package kolibri_0.18.2a0.dev0+git.2.g06bf89d2-0ubuntu1_all.deb
Mac Installer (DMG) kolibri-0.18.2a0.dev0+git.2.g06bf89d2.dmg
Android Package (APK) kolibri-0.18.2a0.dev0+git.2.g06bf89d2-0.1.5-debug.apk
Raspberry Pi Image kolibri-pi-image-0.18.2a0.dev0+git.2.g06bf89d2.zip
TAR file kolibri-0.18.2a0.dev0+git.2.g06bf89d2.tar.gz
WHL file kolibri-0.18.2a0.dev0+git.2.g06bf89d2-py2.py3-none-any.whl

@rtibbles
Copy link
Member Author

rtibbles commented Sep 5, 2025

Would be good to get QA verification here - I don't think the code is likely to change much.

@pcenov
Copy link
Member

pcenov commented Sep 8, 2025

@rtibbles which Studio environment should I be using to test this one, publishing a channel with a Survey with a Free response question is still not working properly at Hotfixes...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@nucleogenesis nucleogenesis

Labels
SIZE: very small
Projects
None yet
Milestone
Kolibri 0.18: Planned Patch 3
Development

Successfully merging this pull request may close these issues.
3 participants
@rtibbles @pcenov @nucleogenesis