feat: implement QTI declaration serialization framework and validation utilities

[Abhishek-Punhani]

Summary

Implemented QTI declaration serialization framework and validation utilities

This PR add:

• QTIDeclaration.js — Central class representing a qti-response-declaration or qti-outcome-declaration element. Handles fromXML (parse from existing XML), fromPlain (construct from flat JSON), and getXML (emit a DOM node for assembly). Supports all cardinality and base-type combinations defined in the QTI 3.0 spec.
• QTISanitizer.js — Defensive validation and XSS mitigation utility. Validates structural attributes (identifier, base-type, cardinality) with fail-fast error semantics, and strips unsafe HTML tags from string content using a DOM-based approach that removes <script>/<style> elements entirely rather than extracting their bodies.
• assembleItem.js — buildXmlNode helper that constructs DOM element trees from a plain descriptor object { tag, attrs, children }, used by all declaration strategies.
• interactionSchema.js — Registry mapping QTI interaction type names to their descriptor shapes, used to validate and look up interaction metadata.

References

closes #5965

AI usage

Used Antigravity for final review and nitpicks.

[learning-equality-bot]

👋 Hi @Abhishek-Punhani, thanks for contributing!

For the review process to begin, please verify that the following is satisfied:

• Contribution is aligned with our contributing guidelines

• Pull request description has correctly filled AI usage section & follows our AI guidance:

  AI guidance

  
  

  State explicitly whether you didn't use or used AI & how.

  If you used it, ensure that the PR is aligned with Using AI as well as our DEEP framework. DEEP asks you:

  • Disclose — Be open about when you've used AI for support.
  • Engage critically — Question what is generated. Review code for correctness and unnecessary complexity.
  • Edit — Review and refine AI output. Remove unnecessary code and verify it still works after your edits.
  • Process sharing — Explain how you used the AI so others can learn.

  
  

  Examples of good disclosures:

  "I used Claude Code to implement the component, prompting it to follow the pattern in ComponentX. I reviewed the generated code, removed unnecessary error handling, and verified the tests pass."

  "I brainstormed the approach with Gemini, then had it write failing tests for the feature. After reviewing the tests, I used Claude Code to generate the implementation. I refactored the output to reduce verbosity and ran the full test suite."

Also check that issue requirements are satisfied & you ran pre-commit locally.

Pull requests that don't follow the guidelines will be closed.

Reviewer assignment can take up to 2 weeks.

[Abhishek-Punhani]

@AlexVelezLl — I added a QTISanitizer class that wasn't in the original scope, but felt necessary. Since QTI XML is authored content that eventually gets serialized and consumed by backend and database.
Happy to remove it if you'd prefer to handle that at a different layer, but I think having it here keeps the protection consistent regardless of which interaction type is authoring the content.

[AlexVelezLl]

Looking great! I have added some questions/comments to make this a bit more flexible. Please let me know if you have any questions/suggestions :)

[AlexVelezLl]

I think it'd be great to have some constants declarations for cardinality and base-type.

[Abhishek-Punhani]

Yeah I had defined some functions in QTISanitizer, willl use that here

[AlexVelezLl]

As per #5984 (comment), I think it'd be better to have these constants defined in constants.js instead. Also, we will need to reference them when building the XML from the editor state. So better to have them defined once for all references in the editor 👐.

[AlexVelezLl]

I'm a little unsure about how to define the schemas per question type in this file. On one side, it'd be one additional place we should remember to edit when we create a new question type. Also, it comes at the cost of some flexibility, because if the cardinality is dynamic, then we will need to add an additional workaround for them. (For example, with text entry interactions, we will probably need to set cardinality='single' if there is just one response or 'multi' if there are many correct responses).

So, I'd say this logic should be deferred to the parse modules that each interaction is going to have. This way we keep it a bit more flexible, and it's one place less to change when we add a new interaction.

[Abhishek-Punhani]

We can add a registry factory and define the interaction for once while defining the interaction and keep cardinality as computed property and allow it to be dynamic?

[AlexVelezLl]

I think having a schema for the declarations may work, but I wonder if declaring a global object for all question types in a single file is the best way to define them. Perhaps we can build each schema in the parse.js file, or even declare them on each interaction descriptor. The idea is to prevent having to remember to add another entry to a global registry that holds all interactions if we already have one (the interactions descriptor registry).

The other question would be how we will handle the capabilities array on the schema, and how much it would be needed. Also, here we are defining a map of question type -> interaction again, and that would be a redundant definition, as we already cover this on the interaction descriptors.

[AlexVelezLl]

I'm also a bit unsure about this. The general strategy to convert from question types will be to just drop the old descriptor and mount the new one with the same xml that was saved from the previous descriptor. If there are some parts of it that the new descriptor can recognize, it will use them (e.g., if the previous used baseType="identifier", and we also use baseType="identifier", then they will be "compatible" without really needing to compare both descriptors).

Also, we probably won't have a good place to call convertTo as we're trying to keep the interactionSection (the one that can actually detect the change) as independent from each interaction detail as possible.

[Abhishek-Punhani]

Yeah I guess I complicated it, just parse it once acc to new type will also work

[AlexVelezLl]

I think we may need this to set the innerHTML property at some point when we need to build the prompt nodes, but we can defer this change to when we actually need it :)

[AlexVelezLl]

I think we do need a sanitizer somewhere, but I think we should have a general XML sanitizer. The current sanitizer is also doing validation, and I think validation can be done within the QTIDeclaration class instead, as it would not be a general qti validation, but declaration validations. For example, we should have a BaseType constant in constants.js instead, because we will need it when we build the xml back from the interactions state, and then we can validate the baseType value at export time (on the .getXML, and we can potentially validate in other places too, but the most important one is that.) against the available values in the BaseType constant.

Identifier validation will also be needed in several places, so we can potentially move this to a helper module. But if invalid identifiers are fed into the editor, we should probably just drop them and generate proper ones (or drop them, depending on the case).

In any case, we should do XML sanitization, but not only for qti but rather for the entire XML assembly logic (also because RTE doesn't currently escape/sanitize the input/output #5956).

[AlexVelezLl]

I'd say we should receive the declaration as a constructor argument and call registerCapability on the constructor to prevent potential deviations between the fromXML and fromPlain. With this, I'd say that we can live without fromPlain and just directly create the object by calling the constructor on the consumer. What do you think?

[AlexVelezLl]

Could we also bring the parseValues and coerceValues, and their respective counterparts for the XML build, to the QTIDeclaration class? It'd be great to have the additional coercion and validation we have there, and it would also be more comfortable to use the JS values instead of transforming them to strings before using them in the QTIDeclaration.

I think bringing support for cardinality="record" is going to be complex, so it'd probably be best not to do it right now, as there isn't yet a proper use case for it. So we can just add some errors or warnings flagging that cardinality="record" is not yet supported?

[learning-equality-bot]

📢✨ Before we assign a reviewer, we'll turn on @rtibblesbot to pre-review. Its comments are generated by an LLM, and should be evaluated accordingly.

[rtibblesbot]

Solid declaration model with clean separation of concerns and a strong XML round-trip test pattern. Four structural issues worth addressing before merge — all suggestions, no hard bugs, CI passing.

• suggestion mapping.js:13 — circular import, easy one-line fix inline
• suggestion QTIDeclaration.js:249 — forType untested and out of scope for this issue
• suggestion QTISanitizer.js:1 — shipped with no production consumer; duplicates constructor validation
• suggestion QTIDeclaration.js:127 — coerceValue/formatValue names conflict with the AC's explicit exclusion of coerceValue

UI verification not applicable — no frontend UI files changed.

---

@rtibblesbot's comments are generated by an LLM, and should be evaluated accordingly

How was this generated?

Ran a phased review pipeline over the pull request diff:

• Classified the diff to select review passes (core, frontend, backend) and whether manual QA was required
• Core review pass checked correctness, design, architecture, testing, completeness, and DRY/SRP/Rule-of-Three principles
• Specialized frontend/backend review passes applied framework-specific lenses where those files changed
• For UI changes: manual QA and an accessibility audit against a live dev server, when available
• Checked CI status and linked issue acceptance criteria
• Synthesized one review from those passes and chose the verdict from the findings, CI status, and QA evidence

[rtibblesbot]

suggestion: This import creates a confirmed cycle: QTIDeclaration.js → declarations/index.js → mapping.js → QTIDeclaration.js. It works today because QTIDeclaration is only referenced at call time (line 67), not at module evaluation, so ES module live bindings save it. But it's fragile — evaluation-order changes can produce an undefined binding.

declaration is already a parameter to fromXML, so the fix is a one-liner:

// line 67 — before
mapKey: QTIDeclaration.coerceValue(entry.getAttribute('map-key'), declaration.baseType),
// after — removes the import entirely
mapKey: declaration.coerceValues([entry.getAttribute('map-key')])[0],

correctResponse.js and defaultValue.js already follow this pattern — use the instance method rather than the static one.

[rtibblesbot]

suggestion: forType is not described in issue #5965 and has no tests in QTIDeclaration.spec.js. It also drives all the interactions/ changes in this PR (getDeclarationSchema on the interface, getDescriptorForQuestionType in the registry, and the choice descriptor implementation). That's meaningful surface area for a method with zero test coverage.

Either add tests (forType(QuestionType.SINGLE_SELECT) returns a declaration with the right baseType/cardinality; forType throws for an unknown type) and open a separate issue for the interactions/ additions, or move the whole forType + interactions block out of this PR.

[rtibblesbot]

suggestion: QTISanitizer is not mentioned in issue #5965 and no production file in this PR imports it — only its own test suite does. Meanwhile QTIDeclaration's constructor already validates identifier (line 29 with an identical /^[\p{L}_][\p{L}\p{N}_.-]*$/u regex), cardinality, and base-type inline, so the validations are duplicated rather than consolidated.

Shipping this as dead code creates maintenance surface without integration benefit. Consider either: (a) integrating it into QTIDeclaration now so the duplication is resolved, or (b) moving it to a separate PR scoped to validation/XSS hardening.

[AlexVelezLl]

I think we can keep it for now and take the parts of it that are useful into a more general XML sanitizer in the future.

[rtibblesbot]

Understood — deferring to your call. Withdrawing the finding.

[rtibblesbot]

suggestion: The acceptance criterion for #5965 explicitly calls out "no coerceValue" as something this class should not contain. These static methods are pure utilities (no state, no this._value writes) and are functionally different from Kolibri's stateful version — but the name is identical to what the AC says to exclude.

Renaming would make the distinction clear and bring the code into unambiguous AC compliance — e.g. parseQtiValue / serializeQtiValue at module scope, or moving them to a qtiValueUtils.js helper alongside assembleItem.js.

[AlexVelezLl]

The "no coerceValue" was my bad 😅. I initially thought it was only used for scoring, but it's also useful for the initial parsing :^)

[rtibblesbot]

praise: Routing output through XMLSerializer → DOMParser and guarding on parsererror before asserting on structure is meaningfully stronger than DOM-property checks — it confirms the emitted nodes are well-formed XML that a QTI player could actually consume. Solid defensive coverage.

[AlexVelezLl]

It's looking great! No major concerns 🎉

[AlexVelezLl]

Could we use Cardinality.RECORD instead? 😅

[AlexVelezLl]

Idem, could we use Cardinality.SINGLE here?

[AlexVelezLl]

We should remove the fromPlain here.

[AlexVelezLl]

Oh, apologies I didn't link the Kolibri implementation 😅, I think we can just bring the coerce code from https://github.com/learningequality/kolibri/pull/14631/changes#diff-48a84a3229362f3e5828755b058e722449660ed57d2e395f167fd2fcd39528b7R232, so that we just directly have all other value types (but record cardinality) here, because we will use pair and directed pair in the future too, so best if we have everything already set up here given that the implementation in Kolibri is already there! :).

[AlexVelezLl]

Could we use Cardinality.SINGLE here instead? :)

[AlexVelezLl]

Could you add a brief comment here explaining why this disable is needed?

[Abhishek-Punhani]

@AlexVelezLl, The disable was added because autofixing these rules converted our XML serialization assertions from native DOM API checks (getAttribute, textContent) to jest-dom matchers, which caused the tests to fail.

These serialization suites build nodes from an XML document (DOMParser(..., 'text/xml')), so the resulting elements are XML elements rather than HTMLElements. As a result, matchers such as toHaveAttribute and toHaveTextContent reject the nodes, whereas the native DOM APIs work correctly for these assertions.

Since these tests validate XML serialization output rather than rendered HTML, I opted to keep the native assertions and disable the corresponding jest-dom preference rules.

Would you prefer a different approach, or would adding a brief comment above the disable explaining this rationale be sufficient?

[rtibblesbot]

You're right — that's a legitimate constraint. matchers like and require s and will reject the XML elements produced by with . Keeping native DOM API assertions here makes sense. A brief comment above the disable explaining this rationale would be sufficient. Withdrawing my finding.

[AlexVelezLl]

Yeah, that's perfect 😅. Adding a brief comment about this would be great so that people know why these eslint-disable are needed 👐.

[rtibblesbot]

Understood, deferring to @AlexVelezLl's assessment. Apologies for the noise.

[AlexVelezLl]

Given that we are repeating these across several suites, could we just use them from the testUtils module?

[AlexVelezLl]

Here, the description is a bit misleading because the children are not a trimmed string, but a coerced float value.

[AlexVelezLl]

Here the // --- / // Constructor tests / // --- are duplicating the purpose of the describe block, I think we can remove them

[AlexVelezLl]

We can remove this Mirrors the approach in Kolibri's qtiXmlHelpers.js test utilit comment.

[AlexVelezLl]

Excellent work here @Abhishek-Punhani. LGTM! 🚀