Render MathML in QTI questions generated by Studio

[rtibbles]

Summary

• In our QTI question generation on Studio for any formulae, we leverage the MathML semantics element to preserve the original LaTeX of the expression.
• Unfortunately, DOMPurify santiizes out semantics elements due to XSS vulnerabilities associated with its annotation elements.
• We allow the semantics element to be retained here, but don't allow the annotation elements to be preserved - this slightly messes with the point of preserving the LaTeX as an annotation, but if we do need it in future, we can do some more precise filtering to allow that through will still disallowing any other encoding.
• Adds some basic styling for MathML.

References

Fixes #13667

Reviewer guidance

Import a survey with a free response question and formula content into Kolibri and observe that the formula is now properly renderered.

Open question - the alternative here is to just remove the annotation completely from the Studio side - I don't think allowing semantics in this way opens us up to an XSS, but we would have to do some extra work to specifically allow the LaTeX annotation to be retained during santization.

[github-actions]

Build Artifacts

Asset type	Download link
PEX file	kolibri-0.18.2a0.dev0_git.2.g06bf89d2.pex
Windows Installer (EXE)	kolibri-0.18.2a0.dev0+git.2.g06bf89d2-windows-setup-unsigned.exe
Debian Package	kolibri_0.18.2a0.dev0+git.2.g06bf89d2-0ubuntu1_all.deb
Mac Installer (DMG)	kolibri-0.18.2a0.dev0+git.2.g06bf89d2.dmg
Android Package (APK)	kolibri-0.18.2a0.dev0+git.2.g06bf89d2-0.1.5-debug.apk
Raspberry Pi Image	kolibri-pi-image-0.18.2a0.dev0+git.2.g06bf89d2.zip
TAR file	kolibri-0.18.2a0.dev0+git.2.g06bf89d2.tar.gz
WHL file	kolibri-0.18.2a0.dev0+git.2.g06bf89d2-py2.py3-none-any.whl

[rtibbles]

Would be good to get QA verification here - I don't think the code is likely to change much.

[pcenov]

@rtibbles which Studio environment should I be using to test this one, publishing a channel with a Survey with a Free response question is still not working properly at Hotfixes...

[nucleogenesis]

Overall the updates look reasonable.

I did a cursory search for what 'semantics' refers to as a string passed to sanitize (ie, does this mean all "semantic" html elements in general or something specific to DOMPurify?)

Open question - the alternative here is to just remove the annotation completely from the Studio side - I don't think allowing semantics in this way opens us up to an XSS, but we would have to do some extra work to specifically allow the LaTeX annotation to be retained during santization.

Is this approach something that is more work for likely marginal (if any) security benefit?

---

@marcellamaki noted that we'd like this to be QA'd soon so I'm approving it - I don't suspect answers to my questions above will result in change requests so should be good to make available to QA

[rtibbles]

Is this approach something that is more work for likely marginal (if any) security benefit?

It would basically involve rolling back the additional LaTeX annotation I added on the Studio side (whereby the MathML is rendered in such a way that we keep the source LaTeX as an annotation on the MathML) - we might need this for supporting non-MathML supporting browsers, or possibly as a hint to an editor. I do think the current security risk is nil, simply because we are only allowing the semantic MathML element and not the annotation element (which is the vector for the injection attack).

[marcellamaki]

Similar to #13738, I have tested this with the dev environment sandbox (since we are having issues with hotfixes which prevents the QA team from testing). MathML rendering correctly!