jotup 0.10.0

A parser for the Djot markup language (dpc's fork of jotdown)
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161

use crate::{Attributes, Container, Event, Render, RenderOutput};

/// Sanitize html rendering
///
/// Rendering filter that will strip rendered djot document
/// from things that could be used to inject arbitrary
/// html and styling to the rendered output, leaving
/// only content that is safe to display directly as html
/// from an untrusted djot input.
///
/// ````
/// use jotup::{Render, RenderOutputExt};
/// use jotup::html::filters::SanitizeExt;
///
/// let src = r#"
/// ```=html
/// <p>foo</p>
/// ```
/// "#;
/// let out = jotup::html::Renderer::minified()
///   .sanitize()
///   .render_into_document(src)
///   .unwrap();
///
/// assert_eq!(
///   out,
///   "<pre><code class=\"language-html\">&lt;p&gt;foo&lt;/p&gt;</code></pre>"
/// );
/// ````
pub struct Sanitize<R>(R);

impl<'s, R> Render<'s> for Sanitize<R>
where
    R: Render<'s>,
{
    type Error = R::Error;

    fn emit(&mut self, event: Event<'s>) -> Result<(), Self::Error> {
        match event {
            // Render raw html as code blocks to avoid arbitrary html injection.
            Event::Start(Container::RawBlock { format }, _attrs)
            | Event::Start(Container::RawInline { format }, _attrs)
                if format == "html" =>
            {
                self.0.emit(Event::Start(
                    Container::CodeBlock { language: format },
                    Attributes::new(),
                ))
            }
            // Strip all attributes from containers
            Event::Start(container, _attrs) => {
                self.0.emit(Event::Start(container, Attributes::new()))
            }
            _ => self.0.emit(event),
        }
    }
}

impl<'s, R> RenderOutput<'s> for Sanitize<R>
where
    R: RenderOutput<'s>,
{
    type Output = R::Output;

    fn into_output(self) -> Self::Output {
        self.0.into_output()
    }
}

pub trait SanitizeExt {
    fn sanitize(self) -> Sanitize<Self>
    where
        Self: Sized,
    {
        Sanitize(self)
    }
}

impl<'s, R> SanitizeExt for R where R: Sized + Render<'s> {}

#[cfg(feature = "async")]
/// Async version of Sanitize filter for async rendering
pub struct AsyncSanitize<R>(R);

#[cfg(feature = "async")]
#[async_trait::async_trait]
impl<'s, R> crate::r#async::AsyncRender<'s> for AsyncSanitize<R>
where
    R: crate::r#async::AsyncRender<'s> + Send,
{
    type Error = R::Error;

    async fn emit(&mut self, event: Event<'s>) -> Result<(), Self::Error> {
        match event {
            // Render raw html as code blocks to avoid arbitrary html injection.
            Event::Start(Container::RawBlock { format }, _attrs)
            | Event::Start(Container::RawInline { format }, _attrs)
                if format == "html" =>
            {
                self.0
                    .emit(Event::Start(
                        Container::CodeBlock { language: format },
                        Attributes::new(),
                    ))
                    .await
            }
            // Strip all attributes from containers
            Event::Start(container, _attrs) => {
                self.0
                    .emit(Event::Start(container, Attributes::new()))
                    .await
            }
            _ => self.0.emit(event).await,
        }
    }
}

#[cfg(feature = "async")]
#[async_trait::async_trait]
impl<'s, R> crate::r#async::AsyncRenderOutput<'s> for AsyncSanitize<R>
where
    R: crate::r#async::AsyncRenderOutput<'s> + Send,
{
    type Output = R::Output;

    fn into_output(self) -> Self::Output {
        self.0.into_output()
    }
}

#[cfg(feature = "async")]
pub trait AsyncSanitizeExt {
    fn sanitize(self) -> AsyncSanitize<Self>
    where
        Self: Sized,
    {
        AsyncSanitize(self)
    }
}

#[cfg(feature = "async")]
impl<'s, R> AsyncSanitizeExt for R where R: Sized + crate::r#async::AsyncRender<'s> + Send {}

#[test]
fn sanitize_me() {
    use crate::RenderOutputExt;
    let src = r#"
```=html
<p>foo</p>
```
"#;
    let out = super::Renderer::minified()
        .sanitize()
        .render_into_document(src)
        .unwrap();

    assert_eq!(
        out,
        "<pre><code class=\"language-html\">&lt;p&gt;foo&lt;/p&gt;</code></pre>"
    );
}