Implement end of study message (#4271)

Pitch DIAGNijmegen/rse-roadmap#426

Implements the end-of-reader-study message option in the reader study
settings.

Author: pkcakeout

app/grandchallenge/reader_studies/forms.py

@@ -147,6 +147,7 @@ class Meta:
             "enable_autosaving",
             "allow_show_all_annotations",
             "roll_over_answers_for_n_cases",
+            "end_of_study_text_markdown",
         )
         help_texts = READER_STUDY_HELP_TEXTS
         widgets = {
@@ -252,6 +253,7 @@ class Meta(ReaderStudyCreateForm.Meta):
             "allow_show_all_annotations",
             "roll_over_answers_for_n_cases",
             "case_text",
+            "end_of_study_text_markdown",
         )
         widgets = {
             "case_text": JSONEditorWidget(schema=CASE_TEXT_SCHEMA),
@@ -263,6 +265,7 @@ class Meta(ReaderStudyCreateForm.Meta):
             "organizations": Select2MultipleWidget,
             "optional_hanging_protocols": Select2MultipleWidget,
             "view_content": JSONEditorWidget(schema=VIEW_CONTENT_SCHEMA),
+            "end_of_study_text_markdown": MarkdownEditorInlineWidget,
         }
         help_texts = {
             **READER_STUDY_HELP_TEXTS,

app/grandchallenge/reader_studies/migrations/0070_readerstudy_end_of_study_text_markdown.py

@@ -0,0 +1,21 @@
+# Generated by Django 4.2.23 on 2025-08-22 16:21
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("reader_studies", "0069_alter_readerstudy_enable_autosaving"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="readerstudy",
+            name="end_of_study_text_markdown",
+            field=models.TextField(
+                blank=True,
+                help_text="Text to show when a user has completed the reader study",
+            ),
+        ),
+    ]

app/grandchallenge/reader_studies/models.py

@@ -351,6 +351,10 @@ class ReaderStudy(
             "Usernames and avatars will be hidden to protect other readers' privacy."
         ),
     )
+    end_of_study_text_markdown = models.TextField(
+        blank=True,
+        help_text="Text to show when a user has completed the reader study",
+    )
     max_credits = models.PositiveIntegerField(
         null=True,
         blank=True,
@@ -386,6 +390,7 @@ class Meta(UUIDModel.Meta, TitleSlugDescriptionModel.Meta):
         "modalities",
         "structures",
         "organizations",
+        "end_of_study_text_markdown",
     }
 
     optional_copy_fields = [
@@ -555,7 +560,25 @@ def remove_reader(self, user):
     @property
     def help_text(self) -> str:
         """The cleaned help text from the markdown sources"""
-        return md2html(self.help_text_markdown, link_blank_target=True)
+        # Deprecated method
+        return self.help_text_safe
+
+    @property
+    def help_text_safe(self) -> str:
+        """The cleaned help text from the markdown sources"""
+        return md2html(
+            self.help_text_markdown,
+            link_blank_target=True,
+            create_permalink_for_headers=False,
+        )
+
+    @property
+    def end_of_study_text_safe(self) -> str:
+        return md2html(
+            self.end_of_study_text_markdown,
+            link_blank_target=True,
+            create_permalink_for_headers=False,
+        )
 
     @cached_property
     def study_image_names(self):

app/grandchallenge/reader_studies/serializers.py

@@ -182,6 +182,7 @@ class Meta:
             "logo",
             "description",
             "help_text",
+            "help_text_safe",
             "pk",
             "questions",
             "title",
@@ -193,6 +194,7 @@ class Meta:
             "allow_case_navigation",
             "allow_show_all_annotations",
             "roll_over_answers_for_n_cases",
+            "end_of_study_text_safe",
         )
 
 

app/tests/reader_studies_tests/test_models.py

@@ -2,6 +2,7 @@
 from datetime import timedelta
 
 import pytest
+from bs4 import BeautifulSoup
 from django.core.exceptions import ObjectDoesNotExist, ValidationError
 from django.db.models import ProtectedError
 from django.db.utils import IntegrityError
@@ -368,18 +369,61 @@ def test_score_for_user(
     assert score["score__avg"] == 0.5
 
 
+@pytest.mark.parametrize(
+    "markdown_field,rendered_field",
+    (
+        ("help_text_markdown", "help_text"),
+        ("help_text_markdown", "help_text_safe"),
+        ("end_of_study_text_markdown", "end_of_study_text_safe"),
+    ),
+)
 @pytest.mark.django_db
-def test_help_markdown_is_scrubbed(client):
+def test_help_markdown_is_scrubbed(client, markdown_field, rendered_field):
+    somewhat_naughty_string = (
+        "<a href='javascript:alert(1)' onmouseover='alert(1)'>Click me</a>"
+        "<script>alert('XSS')</script>"
+    )
+
     rs = ReaderStudyFactory(
-        help_text_markdown="<b>My Help Text</b><script>naughty</script>",
+        **{
+            markdown_field: "# Here come some naughty strings\n\n"
+            + somewhat_naughty_string
+        }
     )
     u = UserFactory()
     rs.add_reader(u)
 
     response = get_view_for_user(client=client, url=rs.api_url, user=u)
 
     assert response.status_code == 200
-    assert response.json()["help_text"] == "<p><b>My Help Text</b>naughty</p>"
+
+    rendered_text = response.json()[rendered_field]
+    parsed_text = BeautifulSoup(rendered_text, "html.parser")
+    assert parsed_text, "Parsing output failed"
+
+    # Check that there are not <script> tags, event handlers, and
+    # javascript: URLs in the generated output
+    assert not parsed_text.find_all("script")
+    for element in parsed_text.find_all():
+        for attribute in element.attrs:
+            has_on_attr = attribute.lower().startswith("on")
+            assert not has_on_attr, "Found event handler"
+    for element in parsed_text.find_all():
+        for attr_value in element.attrs.values():
+            if isinstance(attr_value, str):
+                attr_values = [attr_value]
+            elif isinstance(attr_value, (tuple, list)):
+                attr_values = list(attr_value)
+            else:
+                continue
+
+            for value in attr_values:
+                if isinstance(value, str):
+                    assert not value.lower().strip().startswith("javascript:")
+
+    # Make sure that there are no headerlinks in the output
+    for element in parsed_text.find_all():
+        assert "headerlink" not in element.get("class", [])
 
 
 @pytest.mark.django_db