sanitize submission result

[rien]

This pull request sanitizes submission results (i.e. we prevent additional <script> in judge output from being executed).

TODO:

• Rebase with develop once description iframes #1234 is merged
• Test if all judge output is properly escaped
• Documentation at make clear that HTML output is stripped to prevent XSS issues dodona-edu.github.io#10

Fixes #1139.

[codecov]

Codecov Report

Merging #1330 into develop will increase coverage by 1.59%.
The diff coverage is 100%.

@@             Coverage Diff             @@
##           develop    #1330      +/-   ##
===========================================
+ Coverage    82.18%   83.78%   +1.59%     
===========================================
  Files           89       89              
  Lines         4154     4156       +2     
===========================================
+ Hits          3414     3482      +68     
+ Misses         740      674      -66

Impacted Files	Coverage Δ
app/helpers/renderers/pythia_renderer.rb	93.93% <100%> (+39.67%)	⬆️
app/helpers/renderers/lcs_html_differ.rb	63.48% <100%> (ø)	⬆️
app/helpers/renderers/feedback_table_renderer.rb	92.55% <100%> (+1.9%)	⬆️
app/helpers/application_helper.rb	85.58% <100%> (ø)	⬆️
app/models/concerns/cacheable.rb	83.33% <0%> (-16.67%)	⬇️

[bmesuere]

Don't we need a test where the actual stripping is tested? For example, for the script tag, we want the tag + contents gone and not only the tag itself.

[chvp]

Note: we get deprecation warnings because of this but it should be fixed in the next version of rails-html-sanitizer.

[chvp]

I've added tests for and fixed the stripping of the content of tags in d13c4ee. It's quite hard to test this in the tests of the renderers though, since we actually want to escape most of the HTML in the JSON (e.g. in the diff table), which means the content will still be there (escaped, but otherwise unchanged).

[rien]

👍