Plume/plume-models/src/safe_string.rs

use ammonia::{Builder, UrlRelative};
use diesel::{
    self,
    deserialize::Queryable,
    serialize::{self, Output},
    sql_types::Text,
    types::ToSql,
};
use serde::{self, de::Visitor, Deserialize, Deserializer, Serialize, Serializer};
use std::{
    borrow::{Borrow, Cow},
    fmt::{self, Display},
    io::Write,
    iter,
    ops::Deref,
};

lazy_static! {
    static ref CLEAN: Builder<'static> = {
        let mut b = Builder::new();
        b.add_generic_attributes(iter::once("id"))
            .add_tags(&["iframe", "video", "audio", "label", "input"])
            .id_prefix(Some("postcontent-"))
            .url_relative(UrlRelative::Custom(Box::new(url_add_prefix)))
            .add_tag_attributes(
                "iframe",
                ["width", "height", "src", "frameborder"].iter().cloned(),
            )
            .add_tag_attributes("video", ["src", "title", "controls"].iter())
            .add_tag_attributes("audio", ["src", "title", "controls"].iter())
            .add_tag_attributes("label", ["for"].iter())
            .add_tag_attributes("input", ["type", "checked"].iter())
            .add_allowed_classes("input", ["cw-checkbox"].iter())
            // Related to https://github.com/Plume-org/Plume/issues/637
            .add_allowed_classes("sup", ["footnote-reference", "footnote-definition-label"].iter())
            .add_allowed_classes("div", ["footnote-definition"].iter())
            .add_allowed_classes("span", ["cw-container", "cw-text"].iter())
            .attribute_filter(|elem, att, val| match (elem, att) {
                ("input", "type") => Some("checkbox".into()),
                ("input", "checked") => Some("checked".into()),
                ("label", "for") => {
                    if val.starts_with("postcontent-cw-") {
                        Some(val.into())
                    } else {
                        None
                    }
                }
                _ => Some(val.into()),
            });
        b
    };
}

fn url_add_prefix(url: &str) -> Option<Cow<str>> {
    if url.starts_with('#') && !url.starts_with("#postcontent-") {
        //if start with an #
        let mut new_url = "#postcontent-".to_owned(); //change to valid id
        new_url.push_str(&url[1..]);
        Some(Cow::Owned(new_url))
    } else {
        Some(Cow::Borrowed(url))
    }
}

#[derive(Debug, Clone, PartialEq, AsExpression, FromSqlRow, Default)]
#[sql_type = "Text"]
pub struct SafeString {
    value: String,
}

impl SafeString {
    pub fn new(value: &str) -> Self {
        SafeString {
            value: CLEAN.clean(&value).to_string(),
        }
    }

    /// Creates a new `SafeString`, but without escaping the given value.
    ///
    /// Only use when you are sure you can trust the input (when the HTML
    /// is entirely generated by Plume, not depending on user-inputed data).
    /// Prefer `SafeString::new` as much as possible.
    pub fn trusted(value: impl AsRef<str>) -> Self {
        SafeString {
            value: value.as_ref().to_string(),
        }
    }

    pub fn set(&mut self, value: &str) {
        self.value = CLEAN.clean(value).to_string();
    }
    pub fn get(&self) -> &String {
        &self.value
    }
}

impl Serialize for SafeString {
    fn serialize<S>(&self, serializer: S) -> Result<S::Ok, S::Error>
    where
        S: Serializer,
    {
        serializer.serialize_str(&self.value)
    }
}

struct SafeStringVisitor;

impl<'de> Visitor<'de> for SafeStringVisitor {
    type Value = SafeString;

    fn expecting(&self, formatter: &mut fmt::Formatter) -> fmt::Result {
        formatter.write_str("a string")
    }

    fn visit_str<E>(self, value: &str) -> Result<SafeString, E>
    where
        E: serde::de::Error,
    {
        Ok(SafeString::new(value))
    }
}

impl<'de> Deserialize<'de> for SafeString {
    fn deserialize<D>(deserializer: D) -> Result<Self, D::Error>
    where
        D: Deserializer<'de>,
    {
        Ok(deserializer.deserialize_string(SafeStringVisitor)?)
    }
}

#[cfg(all(feature = "postgres", not(feature = "sqlite")))]
impl Queryable<Text, diesel::pg::Pg> for SafeString {
    type Row = String;
    fn build(value: Self::Row) -> Self {
        SafeString::new(&value)
    }
}

#[cfg(all(feature = "sqlite", not(feature = "postgres")))]
impl Queryable<Text, diesel::sqlite::Sqlite> for SafeString {
    type Row = String;
    fn build(value: Self::Row) -> Self {
        SafeString::new(&value)
    }
}

impl<DB> ToSql<diesel::sql_types::Text, DB> for SafeString
where
    DB: diesel::backend::Backend,
    str: ToSql<diesel::sql_types::Text, DB>,
{
    fn to_sql<W: Write>(&self, out: &mut Output<W, DB>) -> serialize::Result {
        str::to_sql(&self.value, out)
    }
}

impl Borrow<str> for SafeString {
    fn borrow(&self) -> &str {
        &self.value
    }
}

impl Display for SafeString {
    fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
        write!(f, "{}", self.value)
    }
}

impl Deref for SafeString {
    type Target = str;
    fn deref(&self) -> &str {
        &self.value
    }
}

impl AsRef<str> for SafeString {
    fn as_ref(&self) -> &str {
        &self.value
    }
}

use rocket::http::RawStr;
use rocket::request::FromFormValue;

impl<'v> FromFormValue<'v> for SafeString {
    type Error = &'v RawStr;

    fn from_form_value(form_value: &'v RawStr) -> Result<SafeString, &'v RawStr> {
        let val = String::from_form_value(form_value)?;
        Ok(SafeString::new(&val))
    }
}
Be less restrictive on authorized html tags Allow users to add ids to tags Allow users to use iframes 2018-09-19 10:48:39 +02:00			`use ammonia::{Builder, UrlRelative};`
Add unit tests for main model parts (#310) Add tests for following models: - Blog - Instance - Media - User 2018-11-24 12:44:17 +01:00			`use diesel::{`
			`self,`
			`deserialize::Queryable,`
			`serialize::{self, Output},`
create new type SafeString to sanitise and store unsafe html 2018-06-11 11:43:27 +02:00			`sql_types::Text,`
Add unit tests for main model parts (#310) Add tests for following models: - Blog - Instance - Media - User 2018-11-24 12:44:17 +01:00			`types::ToSql,`
			`};`
			`use serde::{self, de::Visitor, Deserialize, Deserializer, Serialize, Serializer};`
			`use std::{`
			`borrow::{Borrow, Cow},`
			`fmt::{self, Display},`
			`io::Write,`
			`iter,`
			`ops::Deref,`
			`};`
create new type SafeString to sanitise and store unsafe html 2018-06-11 11:43:27 +02:00
Be less restrictive on authorized html tags Allow users to add ids to tags Allow users to use iframes 2018-09-19 10:48:39 +02:00			`lazy_static! {`
			`static ref CLEAN: Builder<'static> = {`
			`let mut b = Builder::new();`
			`b.add_generic_attributes(iter::once("id"))`
Hide cw pictures behind a summary/details (#483) * Hide cw pictures behind a summary/details * refactor md_to_html a bit and add cw support * use random id for cw checkbox 2019-04-06 19:20:33 +02:00			`.add_tags(&["iframe", "video", "audio", "label", "input"])`
Be less restrictive on authorized html tags Allow users to add ids to tags Allow users to use iframes 2018-09-19 10:48:39 +02:00			`.id_prefix(Some("postcontent-"))`
			`.url_relative(UrlRelative::Custom(Box::new(url_add_prefix)))`
Add unit tests for main model parts (#310) Add tests for following models: - Blog - Instance - Media - User 2018-11-24 12:44:17 +01:00			`.add_tag_attributes(`
			`"iframe",`
Run 'cargo fmt' to format code (#489) 2019-03-20 17:56:17 +01:00			`["width", "height", "src", "frameborder"].iter().cloned(),`
Slightly improve the media experience (#452) * Slightly improve the media experience - Use a grid to display the list of media - Add icons for non-image media preview - Paginate the gallery - Add links to the gallery in the editor and in the profile settings to make it more discoverable when you need it Fixes #432 * Allow video and audio tags in SafeString Otherwise we can't display their preview, nor show them in articles Also show controls by default for these two elements * Show fallback images for audio and unknown files, to make them more visible * Add a new constructor to SafeString when the input is trusted and doesn't need to be escaped. And use it to generate media previews. * Make it possible to insert video/audio in articles 2019-03-06 14:11:36 +01:00			`)`
Run 'cargo fmt' to format code (#489) 2019-03-20 17:56:17 +01:00			`.add_tag_attributes("video", ["src", "title", "controls"].iter())`
Hide cw pictures behind a summary/details (#483) * Hide cw pictures behind a summary/details * refactor md_to_html a bit and add cw support * use random id for cw checkbox 2019-04-06 19:20:33 +02:00			`.add_tag_attributes("audio", ["src", "title", "controls"].iter())`
			`.add_tag_attributes("label", ["for"].iter())`
			`.add_tag_attributes("input", ["type", "checked"].iter())`
			`.add_allowed_classes("input", ["cw-checkbox"].iter())`
Fix #637 : Markdown footnotes (#700) * Ensure footnotes classes generated are not filtered pulldown-cmark add somes classes when footnotes html is generated. This commit ensure they are not filtered by html sanitizer * Add some footnotes styling 2019-11-20 16:16:38 +01:00			`// Related to https://github.com/Plume-org/Plume/issues/637`
			`.add_allowed_classes("sup", ["footnote-reference", "footnote-definition-label"].iter())`
			`.add_allowed_classes("div", ["footnote-definition"].iter())`
Hide cw pictures behind a summary/details (#483) * Hide cw pictures behind a summary/details * refactor md_to_html a bit and add cw support * use random id for cw checkbox 2019-04-06 19:20:33 +02:00			`.add_allowed_classes("span", ["cw-container", "cw-text"].iter())`
			`.attribute_filter(\|elem, att, val\| match (elem, att) {`
			`("input", "type") => Some("checkbox".into()),`
			`("input", "checked") => Some("checked".into()),`
			`("label", "for") => {`
			`if val.starts_with("postcontent-cw-") {`
			`Some(val.into())`
			`} else {`
			`None`
			`}`
			`}`
			`_ => Some(val.into()),`
			`});`
Be less restrictive on authorized html tags Allow users to add ids to tags Allow users to use iframes 2018-09-19 10:48:39 +02:00			`b`
			`};`
			`}`

			`fn url_add_prefix(url: &str) -> Option<Cow<str>> {`
Add unit tests for main model parts (#310) Add tests for following models: - Blog - Instance - Media - User 2018-11-24 12:44:17 +01:00			`if url.starts_with('#') && !url.starts_with("#postcontent-") {`
			`//if start with an #`
			`let mut new_url = "#postcontent-".to_owned(); //change to valid id`
Be less restrictive on authorized html tags Allow users to add ids to tags Allow users to use iframes 2018-09-19 10:48:39 +02:00			`new_url.push_str(&url[1..]);`
			`Some(Cow::Owned(new_url))`
			`} else {`
			`Some(Cow::Borrowed(url))`
			`}`
			`}`

Add unit tests for main model parts (#310) Add tests for following models: - Blog - Instance - Media - User 2018-11-24 12:44:17 +01:00			`#[derive(Debug, Clone, PartialEq, AsExpression, FromSqlRow, Default)]`
create new type SafeString to sanitise and store unsafe html 2018-06-11 11:43:27 +02:00			`#[sql_type = "Text"]`
Add unit tests for main model parts (#310) Add tests for following models: - Blog - Instance - Media - User 2018-11-24 12:44:17 +01:00			`pub struct SafeString {`
create new type SafeString to sanitise and store unsafe html 2018-06-11 11:43:27 +02:00			`value: String,`
			`}`

Add unit tests for main model parts (#310) Add tests for following models: - Blog - Instance - Media - User 2018-11-24 12:44:17 +01:00			`impl SafeString {`
			`pub fn new(value: &str) -> Self {`
			`SafeString {`
Be less restrictive on authorized html tags Allow users to add ids to tags Allow users to use iframes 2018-09-19 10:48:39 +02:00			`value: CLEAN.clean(&value).to_string(),`
create new type SafeString to sanitise and store unsafe html 2018-06-11 11:43:27 +02:00			`}`
			`}`
Slightly improve the media experience (#452) * Slightly improve the media experience - Use a grid to display the list of media - Add icons for non-image media preview - Paginate the gallery - Add links to the gallery in the editor and in the profile settings to make it more discoverable when you need it Fixes #432 * Allow video and audio tags in SafeString Otherwise we can't display their preview, nor show them in articles Also show controls by default for these two elements * Show fallback images for audio and unknown files, to make them more visible * Add a new constructor to SafeString when the input is trusted and doesn't need to be escaped. And use it to generate media previews. * Make it possible to insert video/audio in articles 2019-03-06 14:11:36 +01:00
			/// Creates a new `SafeString`, but without escaping the given value.
			`///`
			`/// Only use when you are sure you can trust the input (when the HTML`
			`/// is entirely generated by Plume, not depending on user-inputed data).`
			/// Prefer `SafeString::new` as much as possible.
			`pub fn trusted(value: impl AsRef<str>) -> Self {`
			`SafeString {`
Run 'cargo fmt' to format code (#489) 2019-03-20 17:56:17 +01:00			`value: value.as_ref().to_string(),`
Slightly improve the media experience (#452) * Slightly improve the media experience - Use a grid to display the list of media - Add icons for non-image media preview - Paginate the gallery - Add links to the gallery in the editor and in the profile settings to make it more discoverable when you need it Fixes #432 * Allow video and audio tags in SafeString Otherwise we can't display their preview, nor show them in articles Also show controls by default for these two elements * Show fallback images for audio and unknown files, to make them more visible * Add a new constructor to SafeString when the input is trusted and doesn't need to be escaped. And use it to generate media previews. * Make it possible to insert video/audio in articles 2019-03-06 14:11:36 +01:00			`}`
			`}`

create new type SafeString to sanitise and store unsafe html 2018-06-11 11:43:27 +02:00			`pub fn set(&mut self, value: &str) {`
Be less restrictive on authorized html tags Allow users to add ids to tags Allow users to use iframes 2018-09-19 10:48:39 +02:00			`self.value = CLEAN.clean(value).to_string();`
create new type SafeString to sanitise and store unsafe html 2018-06-11 11:43:27 +02:00			`}`
			`pub fn get(&self) -> &String {`
			`&self.value`
			`}`
			`}`

			`impl Serialize for SafeString {`
			`fn serialize<S>(&self, serializer: S) -> Result<S::Ok, S::Error>`
Add unit tests for main model parts (#310) Add tests for following models: - Blog - Instance - Media - User 2018-11-24 12:44:17 +01:00			`where`
			`S: Serializer,`
			`{`
create new type SafeString to sanitise and store unsafe html 2018-06-11 11:43:27 +02:00			`serializer.serialize_str(&self.value)`
			`}`
			`}`

			`struct SafeStringVisitor;`

			`impl<'de> Visitor<'de> for SafeStringVisitor {`
			`type Value = SafeString;`

Add unit tests for main model parts (#310) Add tests for following models: - Blog - Instance - Media - User 2018-11-24 12:44:17 +01:00			`fn expecting(&self, formatter: &mut fmt::Formatter) -> fmt::Result {`
create new type SafeString to sanitise and store unsafe html 2018-06-11 11:43:27 +02:00			`formatter.write_str("a string")`
			`}`

			`fn visit_str<E>(self, value: &str) -> Result<SafeString, E>`
Add unit tests for main model parts (#310) Add tests for following models: - Blog - Instance - Media - User 2018-11-24 12:44:17 +01:00			`where`
			`E: serde::de::Error,`
			`{`
create new type SafeString to sanitise and store unsafe html 2018-06-11 11:43:27 +02:00			`Ok(SafeString::new(value))`
			`}`
			`}`

			`impl<'de> Deserialize<'de> for SafeString {`
			`fn deserialize<D>(deserializer: D) -> Result<Self, D::Error>`
Add unit tests for main model parts (#310) Add tests for following models: - Blog - Instance - Media - User 2018-11-24 12:44:17 +01:00			`where`
			`D: Deserializer<'de>,`
			`{`
			`Ok(deserializer.deserialize_string(SafeStringVisitor)?)`
create new type SafeString to sanitise and store unsafe html 2018-06-11 11:43:27 +02:00			`}`
			`}`

Impl SQL traits for SafeString only for the selected backend Fixes #269 2018-10-08 19:58:15 +02:00			`#[cfg(all(feature = "postgres", not(feature = "sqlite")))]`
create new type SafeString to sanitise and store unsafe html 2018-06-11 11:43:27 +02:00			`impl Queryable<Text, diesel::pg::Pg> for SafeString {`
			`type Row = String;`
			`fn build(value: Self::Row) -> Self {`
			`SafeString::new(&value)`
			`}`
			`}`
Fix the SQlite build 2018-09-27 23:06:40 +02:00
Impl SQL traits for SafeString only for the selected backend Fixes #269 2018-10-08 19:58:15 +02:00			`#[cfg(all(feature = "sqlite", not(feature = "postgres")))]`
Fix the SQlite build 2018-09-27 23:06:40 +02:00			`impl Queryable<Text, diesel::sqlite::Sqlite> for SafeString {`
			`type Row = String;`
			`fn build(value: Self::Row) -> Self {`
			`SafeString::new(&value)`
			`}`
			`}`
Impl SQL traits for SafeString only for the selected backend Fixes #269 2018-10-08 19:58:15 +02:00
create new type SafeString to sanitise and store unsafe html 2018-06-11 11:43:27 +02:00			`impl<DB> ToSql<diesel::sql_types::Text, DB> for SafeString`
			`where`
			`DB: diesel::backend::Backend,`
Add unit tests for main model parts (#310) Add tests for following models: - Blog - Instance - Media - User 2018-11-24 12:44:17 +01:00			`str: ToSql<diesel::sql_types::Text, DB>,`
			`{`
create new type SafeString to sanitise and store unsafe html 2018-06-11 11:43:27 +02:00			`fn to_sql<W: Write>(&self, out: &mut Output<W, DB>) -> serialize::Result {`
			`str::to_sql(&self.value, out)`
			`}`
			`}`

			`impl Borrow<str> for SafeString {`
			`fn borrow(&self) -> &str {`
			`&self.value`
			`}`
			`}`

			`impl Display for SafeString {`
			`fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {`
			`write!(f, "{}", self.value)`
			`}`
			`}`

			`impl Deref for SafeString {`
			`type Target = str;`
			`fn deref(&self) -> &str {`
			`&self.value`
			`}`
			`}`

			`impl AsRef<str> for SafeString {`
			`fn as_ref(&self) -> &str {`
			`&self.value`
			`}`
			`}`
add implementation for FromFormValue for SafeString thanks again to @pwoolcoc for this! 2018-09-14 18:26:42 +02:00
			`use rocket::http::RawStr;`
Add unit tests for main model parts (#310) Add tests for following models: - Blog - Instance - Media - User 2018-11-24 12:44:17 +01:00			`use rocket::request::FromFormValue;`
add implementation for FromFormValue for SafeString thanks again to @pwoolcoc for this! 2018-09-14 18:26:42 +02:00
			`impl<'v> FromFormValue<'v> for SafeString {`
			`type Error = &'v RawStr;`

			`fn from_form_value(form_value: &'v RawStr) -> Result<SafeString, &'v RawStr> {`
			`let val = String::from_form_value(form_value)?;`
allocate new SafeString in FromFormValue impl thanks to @fdb-hiroshima for this review! 2018-09-14 19:50:59 +02:00			`Ok(SafeString::new(&val))`
add implementation for FromFormValue for SafeString thanks again to @pwoolcoc for this! 2018-09-14 18:26:42 +02:00			`}`
			`}`