#!/usr/bin/env python3 """ validate_course.py - Validate course.json / question-set.json structure. Usage: python validate_course.py python validate_course.py --course-path "path/to/course.json" python validate_course.py --verbose python validate_course.py --strict # public-conformance mode (TD-155) python validate_course.py --no-schema # skip jsonschema, run domain checks only Public-conformance mode (TD-155, 2026-05-04): By default the validator is lenient: pre-1.0 document shapes from internal Lesson Commons content (wrapped envelopes `{"course":{...}}`, bare payloads `{"units":[...]}` with no documentType) emit a warning and fall through with reduced schema enforcement. This is intentional — the Lesson Commons Editor's migration paths still ingest these shapes, and failing them outright would block the upgrade. Third-party producers and consumers should treat the lenient path as a Lesson-Commons-internal migration aid, not a published affordance. `--strict` disables that tolerance. Pre-1.0 shapes become FATAL ERRORS in strict mode. Conformance-corpus runs MUST use --strict so that the NORMATIVE.md §3.2 / §4.1 rejections promised by the spec are actually enforced. The conformance corpus harness (tools/run_corpus.py) always invokes validate_course.py with --strict. Public conformance claims under NORMATIVE.md §10 are evaluated in --strict mode. Two-pass validation (TD-109, 2026-04-28): 1. PRIMARY — JSON Schema: every document is run through the published schemas in LC.JSON/specification/schemas/ via the `jsonschema` package (>=4.18, modern `referencing` API). This catches required-field omissions, enum violations, UUID format drift, type mismatches, and any other contract that the schemas already declare. Per-question schema dispatch happens in a second jsonschema pass keyed off the `type` discriminator (matching/ordering fall back to question-base until Phase 5 adds their schemas). 2. SECONDARY — Domain rules: things JSON Schema can't easily express: HTML-tag allowlist + anchor scheme allowlist, gap-marker / accepted- answer count consistency, sequence integrity, points consistency (item.points == sum of question.points), SentenceTransformation chunk numbering and keyword case, MultiGapCloze comma/colon ban, ContentSequence cross-reference resolution, signpost-without- objectives warning. If `jsonschema` is not installed the validator emits a startup warning and runs only the secondary pass. Install with `pip install -r LC.JSON/requirements.txt`. """ import json import re import sys from pathlib import Path import argparse # --------------------------------------------------------------------------- # JSON Schema integration (TD-109, 2026-04-28; Phase 5, 2026-04-28) # --------------------------------------------------------------------------- # # We load every *.schema.json file from LC.JSON/specification/schemas/ into # a Registry once at startup. Each schema is registered under both its bare # filename and its declared canonical $id (`lc-json.org/1.0-rc.2/` for the # current rc.2 publication; `lc-json.org/1.0/` once 1.0 final ships) so # $ref resolution works whether a schema $refs a peer by filename or by # absolute URL. # # Phase 5 (2026-04-28) migrated every schema $id to the canonical # `lc-json.org//` host. The version path tracks the publication # being shipped (NORMATIVE.md §3.1 + §8.3): rc.N publications are at # `/1.0-rc.N/`; the `/1.0/` path is reserved for 1.0 final. _HERE = Path(__file__).resolve().parent # The publication this validator ships with. The bundled reference validator # tracks a single publication (the development head, currently 1.0-rc.2); it is # NOT a dual-version validator — a document pins its version via $schema, and an # rc.1 document is validated with the rc.1-tagged validator. Bump this when # cutting the next publication (e.g. "1.0" at final). Drives both the public-repo # schema-dir selection and the canonical $id registered for $ref resolution. _CURRENT_PUBLICATION = "1.0-rc.3" def _detect_schemas_dir(): """Resolve the schemas directory for the current layout. Lesson Commons monorepo (source): LC.JSON/tools/ → ../specification/schemas/ Public spec repo (published): tools/ → ../schemas// Tries the source-layout path first. In the public-repo layout, multiple immutable versioned dirs may coexist (e.g. a frozen schemas/1.0-rc.1/ alongside schemas/1.0-rc.2/), so this MUST load the dir for THIS validator's own publication (_CURRENT_PUBLICATION) — never whichever sorts first, which would validate one publication's documents against another's schemas. """ dev_path = _HERE.parent / "specification" / "schemas" if dev_path.is_dir(): return dev_path pub_schemas_root = _HERE.parent / "schemas" if pub_schemas_root.is_dir(): # Prefer this validator's own publication. preferred = pub_schemas_root / _CURRENT_PUBLICATION if (preferred / "course.schema.json").exists(): return preferred # Fallback: a single-version deployment published under a different name. for candidate in sorted(pub_schemas_root.iterdir()): if candidate.is_dir() and (candidate / "course.schema.json").exists(): return candidate return dev_path # fallback; downstream errors will be clearer than a misleading path SCHEMAS_DIR = _detect_schemas_dir() # Map question type discriminator (camelCase) → schema filename. # matching/ordering have no per-type schemas yet (Phase 5 task) — fall back # to question-base.schema.json. _QUESTION_TYPE_SCHEMA = { "simpleGapFill": "simple-gap-fill.schema.json", "trueFalseQuestion": "true-false-question.schema.json", "multipleChoice": "multiple-choice.schema.json", "wordBankCloze": "word-bank-cloze.schema.json", "multiGapCloze": "multi-gap-cloze.schema.json", "multipleChoiceCloze": "multiple-choice-cloze.schema.json", "shortAnswer": "short-answer.schema.json", "essay": "essay.schema.json", "sentenceTransformation": "sentence-transformation.schema.json", "matching": "matching.schema.json", "ordering": "ordering.schema.json", "placement": "placement.schema.json", # Reserved-for-2027 question types (FF-102) — declared in question-base # enum but with no per-type schema yet. Validate against base only. "association": "question-base.schema.json", "hotspot": "question-base.schema.json", "graphicGapMatch": "question-base.schema.json", "graphicAssociate": "question-base.schema.json", "graphicOrder": "question-base.schema.json", "fileUpload": "question-base.schema.json", "mediaPromptedEssay": "question-base.schema.json", } try: from jsonschema import Draft7Validator from referencing import Registry, Resource from referencing.jsonschema import DRAFT7 _JSONSCHEMA_AVAILABLE = True except ImportError as _ie: _JSONSCHEMA_IMPORT_ERROR = str(_ie) _JSONSCHEMA_AVAILABLE = False def _load_schema_registry(): """Load every *.schema.json into a Registry keyed by multiple URIs. Returns (registry, schemas_by_filename). Registry is None if jsonschema is unavailable. """ if not _JSONSCHEMA_AVAILABLE: return None, {} if not SCHEMAS_DIR.is_dir(): return None, {} schemas_by_filename = {} pairs = [] for path in sorted(SCHEMAS_DIR.glob("*.schema.json")): with path.open("r", encoding="utf-8") as f: contents = json.load(f) fname = path.name schemas_by_filename[fname] = contents resource = DRAFT7.create_resource(contents) declared_id = contents.get("$id", "") or "" canonical = f"https://lc-json.org/{_CURRENT_PUBLICATION}/{fname}" # De-dup so we don't register the same URI twice with the same resource. for uri in {fname, declared_id, canonical}: if uri: pairs.append((uri, resource)) registry = Registry().with_resources(pairs) return registry, schemas_by_filename _SCHEMA_REGISTRY, _SCHEMAS = _load_schema_registry() def _format_schema_path(path_iter, ref_prefix=""): """Render a jsonschema absolute_path deque as 'ref_prefix > a > b > c'.""" segments = [ref_prefix] if ref_prefix else [] segments.extend(str(p) for p in path_iter) return " > ".join(segments) if segments else "" def _validate_against_schema(payload, schema_filename, ref_prefix=""): """Run a payload through the named schema. Returns list of error strings. If jsonschema isn't available, returns an empty list — caller relies on the secondary domain-rule pass. """ if not _JSONSCHEMA_AVAILABLE: return [] schema = _SCHEMAS.get(schema_filename) if schema is None: return [f"INTERNAL: schema '{schema_filename}' not found in registry"] validator = Draft7Validator(schema, registry=_SCHEMA_REGISTRY) errors = [] for err in validator.iter_errors(payload): path = _format_schema_path(err.absolute_path, ref_prefix) # Trim verbose `instance` repr from the message — jsonschema tends to # echo the full offending value. Keep just the short reason. msg = err.message.split("\n", 1)[0] if len(msg) > 240: # `oneOf` failures dump the full instance dict into the message; # truncate so the report stays scannable. The path locates the # error; the per-element details show up in subsequent errors. msg = msg[:240].rsplit(" ", 1)[0] + "… (truncated)" errors.append(f"[SCHEMA] {path}: {msg}") return errors def _validate_questions_per_type(questions, parent_ref): """Run each question through its per-type schema (TD-109 secondary pass). Yields error strings. The parent's `course`/`question-set` schema only validates against question-base for items in a questions[] array, so type-specific properties (options on multipleChoice, acceptedChunks on sentenceTransformation, etc.) need a per-question pass to be enforced. """ errors = [] if not _JSONSCHEMA_AVAILABLE: return errors for idx, question in enumerate(questions or []): if not isinstance(question, dict): continue qtype = question.get("type") schema_name = _QUESTION_TYPE_SCHEMA.get(qtype) ref = f"{parent_ref} > Q{idx + 1} ({qtype})" if schema_name is None: # Surface a clean error for unknown question types so the user # doesn't have to parse the noisy oneOf failure from the parent. errors.append( f"[SCHEMA] {ref} > type: '{qtype}' is not a recognised question " f"discriminator. Allowed: {', '.join(sorted(_QUESTION_TYPE_SCHEMA.keys()))}." ) continue errors.extend(_validate_against_schema(question, schema_name, ref)) return errors def _walk_and_validate_all_questions(course): """Walk Course → Units → Lessons → Items, validate each item's questions against its per-type schema. Returns list of error strings.""" errors = [] units = course.get("units") or [] for u_idx, unit in enumerate(units): if not isinstance(unit, dict): continue unit_ref = f"units > {u_idx}" for l_idx, lesson in enumerate(unit.get("lessons") or []): if not isinstance(lesson, dict): continue lesson_ref = f"{unit_ref} > lessons > {l_idx}" for i_idx, item in enumerate(lesson.get("items") or []): if not isinstance(item, dict): continue item_ref = f"{lesson_ref} > items > {i_idx}" if isinstance(item.get("questions"), list): errors.extend(_validate_questions_per_type(item["questions"], item_ref)) return errors def _collect_weighted_points_notes(course): """TD-122: emit informational notes when an Exercise/Quiz item's `points` field differs from the sum of its question points. This is intentional — teachers weight an item to a fixed score (e.g. 10) regardless of question count or per-question values — so the mismatch is a NOTE, not a WARN. """ notes = [] units = course.get("units") or [] for u_idx, unit in enumerate(units): if not isinstance(unit, dict): continue for l_idx, lesson in enumerate(unit.get("lessons") or []): if not isinstance(lesson, dict): continue for i_idx, item in enumerate(lesson.get("items") or []): if not isinstance(item, dict): continue if normalize_item_type(item.get("type")) not in ("exercise", "quiz"): continue if "points" not in item or not isinstance(item.get("questions"), list): continue declared = item["points"] calculated = sum(q.get("points", 0) for q in item["questions"] if isinstance(q, dict)) if declared != calculated: item_ref = ( f"Unit {u_idx} ({unit.get('title', 'Untitled')}) > " f"Lesson {l_idx} ({lesson.get('title', 'Untitled')}) > " f"Item {i_idx} ({item.get('type')}: {item.get('title', 'Untitled')})" ) notes.append( f"{item_ref}: weighted points ({declared}) differ from " f"sum of question points ({calculated}) — intentional " f"if you're weighting this item to a fixed score." ) return notes def _collect_objective_id_violations(course): """KG-6: referential integrity for objectiveIds at every structural level. Every entry in courseObjectiveIds[], unit.objectiveIds[], and lesson.objectiveIds[] MUST reference an id declared in course.objectives[].id. Unresolved references break the signpost- auto-rendering contract (a signpost with an unresolved objective id renders nothing for that id). Returns a list of WARN-tier violation strings (warning-tier per the TD-145 framing of integrity checks — does not block import, but surfaces authoring errors). """ warnings = [] objectives = course.get('objectives') or [] if not isinstance(objectives, list): return warnings # schema-level error; let it surface elsewhere valid_ids = { obj.get('id') for obj in objectives if isinstance(obj, dict) and isinstance(obj.get('id'), str) } def _check(scope_ref, ids_field, container): ref_ids = container.get(ids_field) if not isinstance(ref_ids, list): return for ref_id in ref_ids: if not isinstance(ref_id, str): continue if ref_id not in valid_ids: warnings.append( f"{scope_ref}: '{ids_field}' references '{ref_id}', which is not " f"declared in course.objectives[]. Signposts that try to render " f"this objective will show nothing for it." ) _check(f"Course ({course.get('title', 'Untitled')})", 'courseObjectiveIds', course) for u_idx, unit in enumerate(course.get('units') or []): if not isinstance(unit, dict): continue unit_ref = f"Unit {u_idx} ({unit.get('title', 'Untitled')})" _check(unit_ref, 'objectiveIds', unit) for l_idx, lesson in enumerate(unit.get('lessons') or []): if not isinstance(lesson, dict): continue lesson_ref = f"{unit_ref} > Lesson {l_idx} ({lesson.get('title', 'Untitled')})" _check(lesson_ref, 'objectiveIds', lesson) return warnings def _collect_duplicate_global_id_errors(entities): """TD-206 / NORMATIVE §4.4: globalId values MUST be unique across all entities in a document. `entities` is an iterable of (ref, globalId) pairs — one per Unit, Lesson, Item, and Question that declares a globalId. Reference fields that *point at* a globalId (contentItemId, relatedItemIds) are not declarations and must not be passed in. Returns ERROR-tier strings, one per duplicated value, listing every entity that carries it. A document with two entities sharing a globalId breaks re-import matching: a consumer keyed on globalId cannot tell the entities apart, so updates can land on the wrong record. """ seen = {} for ref, gid in entities: if not isinstance(gid, str) or not gid: continue # missing/typed-wrong globalIds surface via schema + per-level checks seen.setdefault(gid.lower(), []).append(ref) errors = [] for gid, refs in seen.items(): if len(refs) > 1: errors.append( f"Duplicate globalId '{gid}' declared by {len(refs)} entities: " + "; ".join(refs) + ". NORMATIVE §4.4: globalId values MUST be unique across all " "entities in a document." ) return errors def _walk_global_id_declarations(course): """Yield (ref, globalId) for every Unit, Lesson, Item, and Question in a course document. Companion walker for _collect_duplicate_global_id_errors.""" for u_idx, unit in enumerate(course.get('units') or []): if not isinstance(unit, dict): continue unit_ref = f"Unit {u_idx} ({unit.get('title', 'Untitled')})" yield unit_ref, unit.get('globalId') for l_idx, lesson in enumerate(unit.get('lessons') or []): if not isinstance(lesson, dict): continue lesson_ref = f"{unit_ref} > Lesson {l_idx} ({lesson.get('title', 'Untitled')})" yield lesson_ref, lesson.get('globalId') for i_idx, item in enumerate(lesson.get('items') or []): if not isinstance(item, dict): continue item_ref = f"{lesson_ref} > Item {i_idx} ({item.get('type')}: {item.get('title', 'Untitled')})" yield item_ref, item.get('globalId') for q_idx, question in enumerate(item.get('questions') or []): if not isinstance(question, dict): continue yield f"{item_ref} > Q{q_idx + 1} ({question.get('type')})", question.get('globalId') # UUID v4 regex pattern UUID_PATTERN = re.compile(r'^[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$', re.IGNORECASE) # BCP 47 plausibility pattern (LOCALIZATION.md §3): a 2-3 letter primary subtag, # an optional 4-letter script subtag, and an optional region subtag (2 letters or # 3 digits). This is a WARN-tier sanity check, NOT full BCP 47 registry validation # — it accepts en, es, fr, ar, pt-BR, es-MX, en-GB, zh-Hant, es-419 and rejects # obvious junk ("english", "e", "en_US" with underscore, "123"). LANGUAGE_TAG_PATTERN = re.compile( r'^[A-Za-z]{2,3}(-[A-Za-z]{4})?(-([A-Za-z]{2}|[0-9]{3}))?$' ) def _is_plausible_language_tag(value): """True if value is a plausibly well-formed BCP 47 language tag (subset check).""" return isinstance(value, str) and LANGUAGE_TAG_PATTERN.match(value) is not None BOOLEANISH_TRUE = {"true", "1", "correct", "yes", "tick"} BOOLEANISH_FALSE = {"false", "0", "incorrect", "no", "cross"} TF_DISPLAY_STYLES = {"TrueFalse", "CorrectIncorrect", "CheckmarkX"} # --------------------------------------------------------------------------- # HTML safety profile (TD-130) — mirrors LC.JSON/specification/HTML_SAFETY.md. # # Severity policy: # ERROR — XSS-class. Forbidden elements (§2.4), event handlers (`on*`), # `javascript:` / `vbscript:` URLs. # WARN — sanitizable. Unknown elements, unknown attributes, CSS properties # outside the §3.4 allowlist, `tel:` URLs (consumer-policy gated), # `data:` URLs, missing `rel="noopener noreferrer"` on # target="_blank", missing `alt` on . # # Spec authority: HTML_SAFETY.md is the source of truth. If this validator and # the spec disagree, the spec wins; update this file. # --------------------------------------------------------------------------- # §2.1–§2.3 allowed elements HTML_ALLOWED_TAGS = { # Block (§2.1) "p", "div", "h1", "h2", "h3", "h4", "h5", "h6", "ul", "ol", "li", "blockquote", "pre", "hr", "table", "thead", "tbody", "tr", "th", "td", "figure", "figcaption", # Inline (§2.2) "a", "strong", "em", "b", "i", "u", "mark", "small", "sub", "sup", "code", "br", "span", "abbr", "q", "time", # Media (§2.3) "img", "video", "audio", "source", "track", } # §2.4 forbidden elements — presence is an ERROR. HTML_FORBIDDEN_TAGS = { "script", "iframe", "object", "embed", "form", "input", "button", "select", "textarea", "style", "link", "meta", "base", "svg", "math", "applet", "frame", "frameset", "noframes", } # §4.1 allowed URL schemes HTML_ALLOWED_LINK_SCHEMES = {"http", "https", "mailto", "tel"} # §4.2 explicitly-forbidden URL schemes that aren't javascript/vbscript # (those two are separate ERROR-level checks) HTML_FORBIDDEN_URL_SCHEMES = { "data", "blob", "file", "chrome", "chrome-extension", "ftp", "ws", "wss", "gopher", "view-source", } # §3.4 inline-style CSS-property allowlist HTML_ALLOWED_CSS_PROPERTIES = { # Sizing "max-width", "min-width", "width", "max-height", "min-height", "height", # Spacing "margin", "margin-top", "margin-right", "margin-bottom", "margin-left", "padding", "padding-top", "padding-right", "padding-bottom", "padding-left", # Borders "border", "border-top", "border-right", "border-bottom", "border-left", "border-collapse", "border-spacing", "border-style", "border-width", "border-color", # Alignment "text-align", "vertical-align", } # Universal attributes that may appear on any allowed element (§3.1) HTML_UNIVERSAL_ATTRS = {"id", "class", "title", "lang", "dir", "style"} # Per-element attribute additions (§3.3) — universal set is added on top. HTML_PER_TAG_ATTRS = { "a": {"href", "target", "rel"}, "img": {"src", "alt", "width", "height"}, "video": {"src", "poster", "controls", "width", "height", "preload"}, "audio": {"src", "controls", "preload"}, "source": {"src", "type"}, "track": {"src", "kind", "srclang", "label", "default"}, "table": {"border"}, "th": {"colspan", "rowspan", "headers", "scope"}, "td": {"colspan", "rowspan", "headers", "scope"}, "ol": {"start", "reversed", "type"}, "li": {"value"}, "blockquote": {"cite"}, "q": {"cite"}, "time": {"datetime"}, } # URL-bearing attributes per element (for §4 scheme checks) HTML_URL_ATTRS = { "a": ("href",), "img": ("src",), "video": ("src", "poster"), "audio": ("src",), "source": ("src",), "track": ("src",), "blockquote": ("cite",), "q": ("cite",), } HTML_OPEN_TAG_PATTERN = re.compile( r'<\s*([A-Za-z][A-Za-z0-9]*)\b([^>]*)>', re.IGNORECASE ) HTML_CLOSE_TAG_PATTERN = re.compile( r'<\s*/\s*([A-Za-z][A-Za-z0-9]*)\b[^>]*>', re.IGNORECASE ) HTML_ATTR_PATTERN = re.compile( r'([A-Za-z_:][A-Za-z0-9_:.\-]*)\s*(?:=\s*(?:"([^"]*)"|\'([^\']*)\'|([^\s"\'>]+)))?', ) CSS_DECL_PATTERN = re.compile(r'([A-Za-z\-]+)\s*:\s*([^;]+?)(?:;|$)') def _extract_attributes(attr_string): """Parse an HTML tag's attribute string into [(name_lower, value)] pairs. Bare attributes (`controls`, `default`) yield (name, ""). """ pairs = [] for match in HTML_ATTR_PATTERN.finditer(attr_string): name = match.group(1) value = match.group(2) or match.group(3) or match.group(4) or "" pairs.append((name.lower(), value)) return pairs def _classify_url_scheme(url): """Return the lowercased scheme, or '' for relative URLs.""" url = (url or "").strip() if not url: return "" if ":" not in url: return "" # Schemes are letters / digits / +-. up to the first colon. scheme = url.split(":", 1)[0].lower() # Sanity check: schemes are ASCII alphanumerics + + - . if not re.fullmatch(r'[a-z][a-z0-9+\-.]*', scheme): return "" return scheme def validate_html_content(html, ref, field_name): """Validate an HTML block against LC-JSON's HTML safety profile (TD-130). Returns (errors, warnings). See HTML_SAFETY.md §8 for the severity policy. """ errors = [] warnings = [] if not html or not isinstance(html, str): return errors, warnings # Track open tags so we can recognise things like # without rel attributes — that's a warning per §6.1, normalised by the # consumer at render time. The full HTML5 parsing model isn't needed; we # only need to inspect open tags one-by-one. for match in HTML_OPEN_TAG_PATTERN.finditer(html): tag = match.group(1).lower() attrs_string = match.group(2) or "" attrs = _extract_attributes(attrs_string) # ----- Tag classification ----- if tag in HTML_FORBIDDEN_TAGS: errors.append( f"{ref}: {field_name} contains forbidden element <{tag}> " f"(HTML_SAFETY.md §2.4). Consumer MUST reject the document." ) # Don't bother checking attributes on a forbidden element. continue if tag not in HTML_ALLOWED_TAGS: warnings.append( f"{ref}: {field_name} contains unknown element <{tag}>. " f"Consumers will strip the tag and preserve its inner text " f"(HTML_SAFETY.md §6.2)." ) # Still scan attrs for event handlers / unsafe URLs — XSS doesn't # care that the carrying element is unknown. # ----- Attribute classification ----- allowed_for_tag = HTML_UNIVERSAL_ATTRS | HTML_PER_TAG_ATTRS.get(tag, set()) for attr_name, attr_value in attrs: # Event handlers (§3.5) — ERROR. if attr_name.startswith("on"): errors.append( f"{ref}: {field_name} contains event-handler attribute " f"'{attr_name}' on <{tag}> (HTML_SAFETY.md §3.5). " f"Consumer MUST reject the document." ) continue # Universal forbidden form-related attributes if attr_name in {"srcdoc", "formaction", "formenctype", "formmethod", "formnovalidate", "formtarget"}: errors.append( f"{ref}: {field_name} contains forbidden attribute " f"'{attr_name}' on <{tag}> (HTML_SAFETY.md §3.5)." ) continue if tag in HTML_ALLOWED_TAGS and attr_name not in allowed_for_tag: warnings.append( f"{ref}: {field_name} attribute '{attr_name}' on <{tag}> " f"is not in the allowlist (HTML_SAFETY.md §3). Consumers " f"will strip it." ) # Continue scanning; even unknown attributes can carry unsafe URLs # if they happen to be URL-shaped, but the consumer strips them. continue # ----- URL-bearing attribute scheme checks (§4) ----- url_attrs_for_tag = HTML_URL_ATTRS.get(tag, ()) if attr_name in url_attrs_for_tag and attr_value: scheme = _classify_url_scheme(attr_value) if scheme in {"javascript", "vbscript"}: errors.append( f"{ref}: {field_name} contains <{tag} {attr_name}=\"{attr_value[:60]}\"> " f"with scheme '{scheme}:' (HTML_SAFETY.md §4.2). " f"Consumer MUST reject the document." ) elif scheme == "data": warnings.append( f"{ref}: {field_name} contains <{tag} {attr_name}=...> " f"with a data: URL. Forbidden per HTML_SAFETY.md §4.2; " f"consumers will strip on render." ) elif scheme in HTML_FORBIDDEN_URL_SCHEMES: warnings.append( f"{ref}: {field_name} contains <{tag} {attr_name}=...> " f"with forbidden scheme '{scheme}:' (HTML_SAFETY.md §4.2). " f"Consumers will strip on render." ) elif scheme == "tel": warnings.append( f"{ref}: {field_name} contains a tel: link. Permitted " f"per HTML_SAFETY.md §7, but consumer policy varies " f"by audience — some consumers (Lesson Commons Learn " f"is one example) gate tel: links via a config flag " f"and default to off for school-age audiences." ) elif scheme and scheme not in HTML_ALLOWED_LINK_SCHEMES: warnings.append( f"{ref}: {field_name} contains <{tag} {attr_name}=...> " f"with non-allowlisted scheme '{scheme}:' " f"(HTML_SAFETY.md §4.1). Consumers will strip on render." ) # Empty/relative URLs are fine. # ----- Inline style allowlist (§3.4) ----- if attr_name == "style" and attr_value: for css_match in CSS_DECL_PATTERN.finditer(attr_value): prop = css_match.group(1).strip().lower() val = css_match.group(2).strip() if prop not in HTML_ALLOWED_CSS_PROPERTIES: warnings.append( f"{ref}: {field_name} <{tag} style=...> contains " f"CSS property '{prop}' outside the allowlist " f"(HTML_SAFETY.md §3.4). Consumers will strip the " f"property and preserve the others." ) # Reject obvious JS-in-CSS tricks at WARN level — no consumer # should be running these but we surface them. val_lower = val.lower() if "expression(" in val_lower or "javascript:" in val_lower: errors.append( f"{ref}: {field_name} <{tag} style=...> CSS value " f"for '{prop}' contains a JS-injection pattern " f"(HTML_SAFETY.md §3.4). Consumer MUST reject." ) # ----- Per-tag domain rules ----- attr_dict = {n: v for n, v in attrs} if tag == "a" and attr_dict.get("target") == "_blank": rel = attr_dict.get("rel", "") rel_tokens = set(rel.lower().split()) if not ({"noopener", "noreferrer"} & rel_tokens): warnings.append( f"{ref}: {field_name} without " f"rel=\"noopener noreferrer\" (HTML_SAFETY.md §6.1). " f"Producers SHOULD emit; consumers MUST normalize." ) if tag == "img" and "alt" not in attr_dict: warnings.append( f"{ref}: {field_name} missing required 'alt' attribute " f"(HTML_SAFETY.md §3.3). Empty alt=\"\" is permitted for " f"decorative images." ) if tag in {"video", "audio"}: if "autoplay" in attr_dict: warnings.append( f"{ref}: {field_name} <{tag}> uses 'autoplay' which " f"producers MUST NOT emit (HTML_SAFETY.md §7). Consumers " f"SHOULD ignore." ) if "loop" in attr_dict: warnings.append( f"{ref}: {field_name} <{tag}> uses 'loop' which " f"producers MUST NOT emit (HTML_SAFETY.md §7)." ) # Accessibility post-pass: each