xAPI-Spec icon indicating copy to clipboard operation
xAPI-Spec copied to clipboard

Published 20 hours ago verified publisher icon adlnet

RFC-2397 URLs in Attachment Fields

Open drcrallen opened this issue 1 year ago • 1 comments

The following is a xAPI json blob that validates just fine in https://lrs.adlnet.gov/statementvalidator .

{
    "actor": {
        "account": {
            "homePage": "https://some.site.com",
            "name": "7565a82f-28cf-40f5-9c77-3385b66f2fe6"
        },
        "objectType": "Agent"
    },
    "attachments": [
        {
            "contentType": "text/plain;charset=utf-8",
            "description": {
                "en-US": "The dialog of the conversation"
            },
            "display": {
                "en-US": "Dialog"
            },
            "fileUrl": "data:text/plain;charset=utf-8;base64,CiNQIzogV2hhdCdzIHVwLCBteSBmcmllbmQ/IEhvdydzIGl0IGdvaW5nPwojQSM6IEhleSB0aGVyZSEgVGhpbmdzIGFyZSBnb2luZyBncmVhdCBvbiBteSBlbmQuIEhvdyBhYm91dCB5b3U/",
            "length": 108,
            "sha2": "3a93e01587188069c0ac766114159a1e2e4d669c1cf8739ebeae646b15f51a9d",
            "usageType": "http://id.tincanapi.com/attachment/supporting_media"
        }
    ],
    "authority": {
        "account": {
            "homePage": "https://some.site.com",
            "name": "[email protected]"
        },
        "objectType": "Agent"
    },
    "context": {
        "registration": "7565a82f-28cf-40f5-9c77-3385b66f2fe6",
        "revision": "2023-12-13T02:05:35.025Z"
    },
    "id": "05b7935b-de5f-4ae5-9d6d-37441fea71a5",
    "object": {
        "definition": {
            "description": {
                "en-US": "Some kind of description with a kind of long text."
            },
            "extensions": {},
            "name": {
                "en-US": "Introduction"
            },
            "type": "http://adlnet.gov/expapi/activities/simulation"
        },
        "id": "https://some.site.com/workshops/5fafc6e9-a703-438c-bf7f-ccebd0d6a43f",
        "objectType": "Activity"
    },
    "result": {
        "completion": true,
        "duration": "PT18S",
        "score": {
            "scaled": 0.2
        }
    },
    "timestamp": "2023-12-14T04:01:14.315Z",
    "verb": {
        "display": {
            "en-US": "scored"
        },
        "id": "http://adlnet.gov/expapi/verbs/scored"
    },
    "version": "1.0.0"
}

This is specifically of note because you can put full documents in the IRL attachment field. The following javascript code will parse the field in a way that is expected, and makes it indistinguishable for most systems that blindly pass through the fileUrl value into a javascript Fetch statement.

crazyUrl="data:text/plain;charset=utf-8;base64,CiNQIzogV2hhdCdzIHVwLCBteSBmcmllbmQ/IEhvdydzIGl0IGdvaW5nPwojQSM6IEhleSB0aGVyZSEgVGhpbmdzIGFyZSBnb2luZyBncmVhdCBvbiBteSBlbmQuIEhvdyBhYm91dCB5b3U/";
fetch(crazyUrl).then((response) =>response.blob()).then((blob) => blob.text()).then((value) => console.log(value));

import datauri
crazyUrl="data:text/plain;charset=utf-8;base64,CiNQIzogV2hhdCdzIHVwLCBteSBmcmllbmQ/IEhvdydzIGl0IGdvaW5nPwojQSM6IEhleSB0aGVyZSEgVGhpbmdzIGFyZSBnb2luZyBncmVhdCBvbiBteSBlbmQuIEhvdyBhYm91dCB5b3U/"
d = datauri.parse(crazyUrl)
print(d.data.decode('utf-8'))

You can even run the above in your debugging tools. What I cannot really tell is if this actually violates the spec. "data" is a valid scheme and works transparently in javascript, and with some minor special handling in python as long as the library is setup to parse the standard. Is it a violation of the spec to include a RFC-2397 compliant blob of data in the Attachment's fileUrl field?

If not that seems like a way to accidentally blow up storage expectations on servers recording the xapi entries.

drcrallen avatar Dec 28 '23 18:12 drcrallen