Skip to main content

umbral_core/
templates.rs

1//! Server-side HTML rendering via minijinja.
2//!
3//! Templates live under one or more directories on disk. At boot,
4//! `App::build()` assembles an ordered search list:
5//!
6//! 1. The project-level directory configured via
7//!    `AppBuilder::templates_dir` (default `./templates`).
8//! 2. Each registered plugin's `Plugin::templates_dirs()` contributions,
9//!    in topological dependency order.
10//!
11//! The first directory that contains a given template name wins. This
12//! makes cross-plugin `{% extends "base.html" %}` work automatically —
13//! the extends lookup searches every directory the same way a direct
14//! render call does. Plugin A can extend `base.html` from plugin B as
15//! long as B's directory appears in the search list.
16//!
17//! When two directories both provide a template with the same name, the
18//! first-match-wins policy applies and a `tracing::warn!` is emitted at
19//! boot so the collision is visible in the log. First-match-wins across
20//! all template directories. Silently-overridden templates are a
21//! well-known footgun, so the warning is non-optional.
22//!
23//! Rendering goes through one ambient accessor, [`render`], which reads
24//! the engine the App builder published into an `OnceLock` during build.
25//!
26//! ```ignore
27//! let html = umbral::templates::render("articles_list.html", &context!(articles))?;
28//! ```
29//!
30//! ## Autoescape
31//!
32//! Any template whose name ends in `.html` or `.htm` renders with
33//! autoescape on. Text templates (`.txt`) render verbatim. The autoescape
34//! callback extension whitelist MUST stay in sync with the loader's
35//! `load_directory` filter (currently `html | htm | txt`).
36//!
37//! ## v1 scope
38//!
39//! - One project-level templates directory (default `./templates/`,
40//!   relative to the binary's cwd) plus per-plugin directories.
41//! - Jinja2-compatible syntax via minijinja: `{% extends %}`, `{% block %}`,
42//!   `{% if %}`, `{% for %}`, `{{ value }}`, the standard filter set.
43//! - Autoescape for any template whose name ends in `.html` or `.htm`.
44//! - Init is best-effort: if no directory exists the engine boots empty.
45//!   Calls to [`render`] then return `TemplateError::Missing`.
46//!
47//! ## Deferred
48//!
49//! - Custom filters and tests registered through `Plugin::on_ready`.
50//! - Hot reload in development via `minijinja-autoreload`.
51
52use std::collections::HashSet;
53use std::future::Future;
54use std::path::{Path, PathBuf};
55use std::pin::Pin;
56use std::sync::Arc;
57use std::sync::OnceLock;
58
59use minijinja::{AutoEscape, Environment};
60use syntect::highlighting::ThemeSet;
61use syntect::html::{ClassStyle, ClassedHTMLGenerator, css_for_theme_with_class_style};
62use syntect::parsing::SyntaxSet;
63use syntect::util::LinesWithEndings;
64
65tokio::task_local! {
66    /// Per-request ambient user value, set by a session-aware layer
67    /// (typically `umbral_sessions::UserContextLayer<U>`) and read by
68    /// [`render`] to expose the current `user` in
69    /// templates. `None` means an anonymous request.
70    ///
71    /// Outside the layer's scope, `try_with` returns `Err(AccessError)`
72    /// and `render` skips the merge — explicit ctx behaviour is
73    /// preserved when no layer is installed.
74    pub static CURRENT_USER: Option<minijinja::Value>;
75
76    /// Per-request CSRF token, set by `umbral-security`'s middleware and
77    /// read by [`render`] to inject `csrf_token` / `csrf_input` into
78    /// every template, for the `{% csrf_token %}` ergonomic. Outside
79    /// the middleware's scope nothing is injected (a template that
80    /// references `{{ csrf_token }}` then renders it empty under the
81    /// engine's lenient-undefined behaviour).
82    pub static CURRENT_CSRF: Option<String>;
83
84    /// Lazy counterpart to `CURRENT_USER`: a resolver that produces the
85    /// user value on first access, memoized. Set by an auth middleware that
86    /// wants per-request laziness (resolve only if a template reads `user`).
87    pub static CURRENT_USER_LAZY: LazyUser;
88}
89
90type UserFut = Pin<Box<dyn Future<Output = minijinja::Value> + Send>>;
91type UserResolver = Arc<dyn Fn() -> UserFut + Send + Sync>;
92
93/// A lazily-resolved, per-request template `user`. The `resolver` runs at
94/// most once (guarded by the `OnceCell`); resolution happens synchronously
95/// from inside minijinja's sync render via `block_in_place`.
96///
97/// The lazy value is injected into the template context as a minijinja `Object`
98/// proxy ([`LazyUserProxy`]). Minijinja calls `get_value` on the proxy only
99/// when the template actually accesses an attribute on `user`, so requests that
100/// never render `user` skip resolution entirely.
101#[derive(Clone)]
102pub struct LazyUser {
103    cell: Arc<tokio::sync::OnceCell<minijinja::Value>>,
104    resolver: UserResolver,
105}
106
107impl LazyUser {
108    pub fn new<F, Fut>(resolver: F) -> Self
109    where
110        F: Fn() -> Fut + Send + Sync + 'static,
111        Fut: Future<Output = minijinja::Value> + Send + 'static,
112    {
113        Self {
114            cell: Arc::new(tokio::sync::OnceCell::new()),
115            resolver: Arc::new(move || Box::pin(resolver())),
116        }
117    }
118
119    /// Resolve (memoized) from a synchronous context. Requires a multi-thread
120    /// tokio runtime; on a current-thread runtime or outside any runtime it
121    /// logs and returns the anonymous value so callers fall back cleanly.
122    fn resolve_blocking(&self) -> minijinja::Value {
123        use tokio::runtime::{Handle, RuntimeFlavor};
124        let Ok(handle) = Handle::try_current() else {
125            return anonymous_user_value();
126        };
127        if handle.runtime_flavor() == RuntimeFlavor::CurrentThread {
128            tracing::warn!(
129                "umbral::templates: lazy `user` needs a multi-thread runtime; rendering anonymous"
130            );
131            return anonymous_user_value();
132        }
133        let cell = self.cell.clone();
134        let resolver = self.resolver.clone();
135        tokio::task::block_in_place(move || {
136            handle.block_on(async move { cell.get_or_init(|| resolver()).await.clone() })
137        })
138    }
139
140    /// Wrap this `LazyUser` in a minijinja `Value` proxy that resolves on
141    /// first attribute access from inside the synchronous render loop.
142    fn into_proxy_value(self) -> minijinja::Value {
143        minijinja::Value::from_object(LazyUserProxy(self))
144    }
145}
146
147/// A minijinja Object proxy that defers resolution of the user until the
148/// template actually accesses an attribute (e.g. `{{ user.is_staff }}`).
149/// Minijinja calls `get_value` for attribute access — we resolve there, not
150/// at context-merge time.
151struct LazyUserProxy(LazyUser);
152
153impl std::fmt::Debug for LazyUserProxy {
154    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
155        f.write_str("LazyUserProxy")
156    }
157}
158
159impl std::fmt::Display for LazyUserProxy {
160    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
161        // `{{ user }}` — resolve (memoized) and delegate to the resolved
162        // value's own Display so bare rendering is faithful. Uses the same
163        // `resolve_blocking` path as `get_value` to ensure at-most-once
164        // resolution and the same current-thread / no-runtime fallback.
165        let resolved = self.0.resolve_blocking();
166        std::fmt::Display::fmt(&resolved, f)
167    }
168}
169
170impl minijinja::value::Object for LazyUserProxy {
171    fn get_value(self: &Arc<Self>, key: &minijinja::Value) -> Option<minijinja::Value> {
172        let resolved = self.0.resolve_blocking();
173        resolved.get_item(key).ok()
174    }
175
176    fn is_true(self: &Arc<Self>) -> bool {
177        // `{% if user %}` — resolve (memoized) and delegate to the resolved
178        // value's truthiness so the proxy faithfully represents whether the
179        // resolved value is truthy. Uses the same `resolve_blocking` path as
180        // `get_value` so resolution is still at most once per request.
181        self.0.resolve_blocking().is_true()
182    }
183}
184
185/// Scope a lazy `user` resolver for the duration of `fut`.
186pub async fn with_current_user_lazy<F: Future>(lazy: LazyUser, fut: F) -> F::Output {
187    CURRENT_USER_LAZY.scope(lazy, fut).await
188}
189
190/// Run `fut` with the ambient template user value scoped to `user`
191/// for its duration. Intended for the session-aware layer in
192/// `umbral-sessions`; downstream handler code reads the value
193/// transparently through [`render`].
194pub async fn with_current_user<F: std::future::Future>(
195    user: Option<minijinja::Value>,
196    fut: F,
197) -> F::Output {
198    CURRENT_USER.scope(user, fut).await
199}
200
201/// Run `fut` with the ambient CSRF token scoped for its duration.
202/// Intended for the CSRF middleware in `umbral-security`; downstream
203/// handler code reads the value transparently through [`render`]
204/// (as `{{ csrf_token }}` / `{{ csrf_input }}`) or [`current_csrf`].
205pub async fn with_current_csrf<F: std::future::Future>(token: Option<String>, fut: F) -> F::Output {
206    CURRENT_CSRF.scope(token, fut).await
207}
208
209/// Read the ambient CSRF token, if a middleware has scoped one for
210/// this request. Non-template consumers (e.g. the admin's login form
211/// builder) use this to embed the same token the middleware minted,
212/// instead of minting their own.
213pub fn current_csrf() -> Option<String> {
214    CURRENT_CSRF.try_with(|t| t.clone()).ok().flatten()
215}
216
217/// Watched template directories captured at `init` time. Stored
218/// separately so the dev-mode render path can rebuild the environment
219/// from the same sources without re-publishing the OnceLock.
220static WATCHED_DIRS: OnceLock<Vec<PathBuf>> = OnceLock::new();
221use serde::Serialize;
222
223static ENGINE: OnceLock<Environment<'static>> = OnceLock::new();
224
225/// A plugin-contributed mutation of the template [`Environment`]: adds
226/// custom filters, functions, or globals at engine-build time
227/// (feature #67 - custom template tags/filters). Returned by
228/// `Plugin::template_registrars` and stored process-wide so the dev-mode
229/// hot-reload rebuild re-applies it.
230///
231/// It is `Fn` (not `FnOnce`) on purpose: in dev mode the engine is
232/// rebuilt on every template edit, so each registrar runs once per build.
233/// Make it owned and `'static` (no borrows of the plugin) so it survives
234/// in the [`REGISTRARS`] handle past `App::build`.
235pub type TemplateRegistrar = Box<dyn Fn(&mut Environment<'static>) + Send + Sync>;
236
237/// Plugin-contributed [`TemplateRegistrar`]s captured at `init_with` time.
238/// Stored separately from [`ENGINE`] so the dev-mode rebuild path (which
239/// goes through [`build_env`]) re-applies them without the App builder.
240static REGISTRARS: OnceLock<Vec<TemplateRegistrar>> = OnceLock::new();
241
242/// Register the built-in default 404/500 templates into an environment.
243///
244/// Called from `init` before any disk directories are scanned. The names
245/// use the `__umbral__/` prefix so they can never collide with a user's
246/// `templates/` directory (slashes aren't meaningful to the engine's name
247/// lookup — `__umbral__/default_404.html` is just a unique string key).
248///
249/// Because the user's disk directories are added after this call and
250/// first-match-wins is enforced by the `seen` set, a user who places a
251/// file named `__umbral__/default_404.html` in their own templates dir will
252/// silently replace the built-in — which is the intended escape hatch.
253/// (Callers who want a cleaner opt-out should use
254/// `App::builder().disable_default_error_pages()` instead.)
255/// gaps2 #21 — register the `img` MiniJinja filter that turns a URL
256/// into a fully-formed, performance-correct `<img>` tag.
257///
258/// Filter signature:
259///   `{{ url | img(alt="…", width=N, height=N, class="…") }}`
260///
261/// Output shape:
262///   `<img src="<url>" alt="<alt>" loading="lazy" decoding="async"
263///        width="<w>" height="<h>" class="<class>">`
264///
265/// Why this set of attributes:
266/// - `loading="lazy"` — the gap's primary ask. Browsers defer
267///   off-viewport image fetches until they're about to be needed,
268///   shrinking LCP + initial bandwidth.
269/// - `decoding="async"` — lets the browser decode the image off
270///   the main thread; prevents render-blocking decode work on
271///   slower devices.
272/// - explicit `width`/`height` (when provided) reserves layout
273///   space immediately so lazy-loading doesn't cause CLS
274///   (cumulative layout shift). Omitted if either is missing.
275/// - empty `alt=""` default is screen-reader-friendly for
276///   decorative images. Callers SHOULD pass a real `alt` for
277///   meaningful content images.
278///
279/// What's NOT included on day one (deferred to a later slice):
280/// - `srcset` for responsive resolutions — needs the on-the-fly
281///   resize handler (gap 21 Option C) before the filter knows
282///   real asset dimensions.
283/// - `<picture>` with `webp`/`avif` sources — same blocker; the
284///   transcode endpoint has to exist first.
285///
286/// Output is wrapped in `minijinja::value::Value::from_safe_string`
287/// so MiniJinja's autoescape doesn't double-escape the `<` / `>`
288/// characters — the attribute values themselves still go through
289/// `html_escape` so a hostile alt-text can't break out of the
290/// attribute quote.
291/// True when `url` is safe to place in an `<img src>`: a relative URL
292/// (no scheme) or an `http`/`https` absolute URL. Any other scheme
293/// (`javascript:`, `data:`, `vbscript:`, …) is rejected. Fails closed:
294/// a malformed scheme (embedded control chars, spaces) is also rejected.
295fn url_scheme_is_safe(url: &str) -> bool {
296    let trimmed = url.trim();
297    // A URL scheme is the run before the first ':' — but only if no
298    // '/', '?', '#' appears first (those mean a relative path/query).
299    let mut scheme_end = None;
300    for (i, c) in trimmed.char_indices() {
301        match c {
302            ':' => {
303                scheme_end = Some(i);
304                break;
305            }
306            '/' | '?' | '#' => break,
307            _ => {}
308        }
309    }
310    let Some(end) = scheme_end else {
311        return true; // no scheme → relative URL → safe
312    };
313    let scheme = &trimmed[..end];
314    // A real scheme is alpha then [a-z0-9+.-]*. Anything else is suspicious.
315    let mut chars = scheme.chars();
316    let well_formed = matches!(chars.next(), Some(c) if c.is_ascii_alphabetic())
317        && chars.all(|c| c.is_ascii_alphanumeric() || matches!(c, '+' | '.' | '-'));
318    if !well_formed {
319        return false;
320    }
321    let lower = scheme.to_ascii_lowercase();
322    lower == "http" || lower == "https"
323}
324
325fn register_img_filter(env: &mut Environment<'static>) {
326    env.add_filter(
327        "img",
328        |url: String,
329         kwargs: minijinja::value::Kwargs|
330         -> Result<minijinja::Value, minijinja::Error> {
331            let alt: String = kwargs.get::<Option<String>>("alt")?.unwrap_or_default();
332            let width: Option<i64> = kwargs.get("width")?;
333            let height: Option<i64> = kwargs.get("height")?;
334            let class: Option<String> = kwargs.get("class")?;
335            // Accept the extras even when the call doesn't pass them
336            // — kwargs.get returns Ok(None) for absent keys but
337            // .assert_all_used() at the end will catch a typo'd
338            // `alt_text` so the user gets a clear error instead of
339            // silent drop. Matches the rest of the framework's
340            // strict-input posture.
341            kwargs.assert_all_used()?;
342
343            // Defense-in-depth: never emit a `javascript:` / `data:` /
344            // other non-http(s) scheme into `src`. Not a live XSS (browsers
345            // don't run JS from `<img src>` and the value is HTML-escaped),
346            // but a hostile stored URL has no business here. A disallowed
347            // scheme neutralises to an empty src (broken image) rather than
348            // erroring the whole page on user data.
349            let url = if url_scheme_is_safe(&url) {
350                url
351            } else {
352                String::new()
353            };
354
355            let mut out = String::with_capacity(url.len() + 128);
356            out.push_str("<img src=\"");
357            html_escape_into(&mut out, &url);
358            out.push_str("\" alt=\"");
359            html_escape_into(&mut out, &alt);
360            out.push_str("\" loading=\"lazy\" decoding=\"async\"");
361            if let Some(w) = width {
362                out.push_str(" width=\"");
363                out.push_str(&w.to_string());
364                out.push('"');
365            }
366            if let Some(h) = height {
367                out.push_str(" height=\"");
368                out.push_str(&h.to_string());
369                out.push('"');
370            }
371            if let Some(c) = class {
372                if !c.is_empty() {
373                    out.push_str(" class=\"");
374                    html_escape_into(&mut out, &c);
375                    out.push('"');
376                }
377            }
378            out.push('>');
379            Ok(minijinja::Value::from_safe_string(out))
380        },
381    );
382}
383
384/// features.md #4 — register the `markdown` filter that turns a
385/// CommonMark + GFM string into sanitized HTML.
386///
387/// Filter signature: `{{ body | markdown }}`.
388///
389/// Pipeline:
390/// 1. `pulldown-cmark` parses the input with GFM extensions on
391///    (tables, strikethrough, task lists, footnotes) and renders to
392///    HTML.
393/// 2. `ammonia` sanitizes that HTML — strips `<script>`, inline event
394///    handlers (`onerror=`, `onclick=`), `javascript:` URLs, and any
395///    tag/attribute outside its safe allowlist. This is the security
396///    boundary: user-supplied markdown (plugin bodies, usage docs,
397///    reviews) is rendered, never trusted.
398/// 3. The result is wrapped in `Value::from_safe_string` so MiniJinja's
399///    autoescape emits the generated tags as markup instead of
400///    re-escaping them into `&lt;...&gt;`.
401///
402/// Why sanitize after rendering rather than trusting the parser: raw
403/// HTML embedded in a markdown source (`<script>...`) passes straight
404/// through pulldown-cmark by design. ammonia is the layer that makes
405/// "render whatever the user typed" safe.
406///
407/// Deferred (separate slices): syntax highlighting on fenced code
408/// blocks (ammonia strips the `language-*` class today) and a
409/// configurable allowlist for embeds — see the gap entries.
410/// Register the global `static()` template function so templates can
411/// write `{{ static("admin/admin.css") }}` and get back a URL prefixed
412/// with the configured `static_url`.
413///
414/// `static_url` is captured into the closure when the environment is
415/// built (rather than read per-call) — the value is fixed for the
416/// process at `App::build()` time, and minijinja functions can't reach
417/// the ambient `Settings` directly. The dev-mode render path rebuilds
418/// the env per render via [`build_env`], so a `static_url` change would
419/// be picked up there too; in practice it never changes at runtime.
420///
421/// Resolution joins `static_url` and the argument with exactly one
422/// slash: a leading slash on the argument (`static("/admin/x")`) is
423/// trimmed so the result never double-slashes. With the default
424/// `static_url = "/static/"`, `static("admin/admin.css")` yields
425/// `"/static/admin/admin.css"`; with a CDN origin
426/// `static_url = "https://cdn.example.com/s/"` it yields
427/// `"https://cdn.example.com/s/admin/admin.css"`.
428fn register_static_function(env: &mut Environment<'static>, static_url: String) {
429    env.add_function("static", move |path: String| -> String {
430        // Route through the manifest-aware resolver so a `--hashed`
431        // collect makes `{{ static("css/app.css") }}` emit the
432        // content-hashed URL. The captured `static_url` is the fixed
433        // prefix; the manifest lookup is the only per-call ambient read.
434        if let Some(hashed) = crate::static_files::manifest_lookup(&path) {
435            return join_static_url(&static_url, hashed);
436        }
437        join_static_url(&static_url, &path)
438    });
439}
440
441/// Join a `static_url` prefix and an asset path with exactly one slash.
442///
443/// `static_url` is normalised to end in a slash by [`crate::settings`];
444/// the asset path may or may not lead with one, so its leading slash is
445/// trimmed before the join. With `static_url = "/static/"`,
446/// `join_static_url(.., "admin/admin.css")` yields
447/// `"/static/admin/admin.css"`.
448fn join_static_url(static_url: &str, path: &str) -> String {
449    format!("{}{}", static_url, path.trim_start_matches('/'))
450}
451
452/// Resolve an asset path against the ambient `static_url`, mirroring the
453/// `static()` template global outside a minijinja render.
454///
455/// Plugins that build their own minijinja [`Environment`] (the admin
456/// engine, for one) call this to register an equivalent `static()`
457/// function so their templates can write `{{ static("admin/admin.css") }}`
458/// and resolve through the same unified static pipeline URL as the core
459/// engine. Reads `static_url` from ambient [`crate::settings`], defaulting
460/// to `/static/` when settings aren't initialised yet (bare unit tests).
461pub fn resolve_static_url(path: &str) -> String {
462    let static_url = crate::settings::get_opt()
463        .map(|s| s.static_url.clone())
464        .unwrap_or_else(|| "/static/".to_string());
465
466    // Manifest cache-busting (hashed static-file storage): when
467    // `collectstatic --hashed` has run, a `staticfiles.json` maps the
468    // logical path the template wrote (`css/app.css`) to its
469    // content-hashed name (`css/app.<hash>.css`). Resolving to the hashed
470    // URL lets the asset carry far-future cache headers — the hash in the
471    // name changes whenever the bytes do, so a stale cache can never mask
472    // a new build. When no manifest is loaded (no `--hashed` run), the
473    // lookup misses and we serve the plain path exactly as before.
474    if let Some(hashed) = crate::static_files::manifest_lookup(path) {
475        return join_static_url(&static_url, hashed);
476    }
477
478    join_static_url(&static_url, path)
479}
480
481/// Register the global `media_url()` template function so a template can
482/// write `{{ media_url(plugin.logo) }}` and get back the public URL for a
483/// stored file/image KEY, resolved through the ambient
484/// [`crate::storage::Storage`] backend.
485///
486/// Mirrors the `static()` global ([`register_static_function`]) but for
487/// user-uploaded media instead of developer-shipped assets:
488/// `ImageField` / `FileField` serialize as the bare storage key, so
489/// `{{ media_url(plugin.logo) }}` (where `plugin.logo` is the key string)
490/// resolves to the storage backend's public URL.
491///
492/// - An empty key yields the empty string (the surrounding `{% if %}`
493///   guard skips the markup).
494/// - With no `Storage` backend registered, the raw key falls through
495///   unchanged.
496/// - A `None`/optional field serializes to null, which the template's
497///   `{% if %}` guard handles before the helper is ever called.
498fn register_media_url_function(env: &mut Environment<'static>) {
499    env.add_function("media_url", |key: String| -> String {
500        if key.is_empty() {
501            return String::new();
502        }
503        crate::storage::storage_opt()
504            .map(|s| s.url(&key))
505            .unwrap_or(key)
506    });
507}
508
509/// Register the `{{ querystring_with(current_query, key, value) }}` global
510/// (gaps/features #65 — template pagination). Rebuilds a querystring
511/// replacing one key while preserving every other parameter, the fiddly bit
512/// behind a pagination nav that has to carry `?sort=name` across every
513/// `?page=N` link. Backed by [`crate::pagination::querystring_with`] so the
514/// encode/replace logic stays in one place and is unit-tested there. The
515/// returned string has no leading `?`; the template prepends one.
516fn register_querystring_with_function(env: &mut Environment<'static>) {
517    env.add_function(
518        "querystring_with",
519        // `value` is a `minijinja::Value`, not a `String`: the nav passes
520        // `page.next_page_number` / `item.n`, which are integers, and
521        // minijinja does NOT auto-coerce an int arg into a `String`
522        // parameter — it'd raise a type error at render. Accepting `Value`
523        // and stringifying covers ints, strings, and bools uniformly.
524        |current_query: String, key: String, value: minijinja::Value| -> String {
525            crate::pagination::querystring_with(&current_query, &key, &value.to_string())
526        },
527    );
528}
529
530fn register_markdown_filter(env: &mut Environment<'static>) {
531    env.add_filter("markdown", |input: String| -> minijinja::Value {
532        minijinja::Value::from_safe_string(render_markdown(&input))
533    });
534}
535
536/// Register the `{{ highlight_styles() }}` global: emits the generated
537/// `base16-ocean.dark` token stylesheet wrapped in a `<style>` block, for a
538/// base template to drop into `<head>` once. The CSS is a safe string
539/// (generated by syntect from a fixed theme, no user input), so it is
540/// marked safe to skip minijinja autoescape.
541fn register_highlight_styles_function(env: &mut Environment<'static>) {
542    env.add_function("highlight_styles", || -> minijinja::Value {
543        minijinja::Value::from_safe_string(format!("<style>{}</style>", highlight_css()))
544    });
545}
546
547/// features.md #67 — `{{ now() }}` / `{{ now("%Y-%m-%d") }}`. Renders the
548/// current UTC time, optionally via a chrono `strftime` format string.
549/// With no argument it emits RFC 3339 (e.g. `2026-06-13T10:30:00+00:00`).
550/// The reference built-in tag for the custom-tag surface.
551fn register_now_function(env: &mut Environment<'static>) {
552    env.add_function("now", |fmt: Option<String>| -> String {
553        let now = chrono::Utc::now();
554        match fmt {
555            Some(f) if !f.is_empty() => now.format(&f).to_string(),
556            _ => now.to_rfc3339(),
557        }
558    });
559}
560
561/// features.md #67 — `{{ price | currency }}` / `{{ price | currency("EUR") }}`.
562/// Formats a number as money: two decimals, thousands grouping, and a
563/// leading symbol for the common ISO codes (USD/EUR/GBP/JPY); an unknown
564/// code falls back to `1,234.56 CODE`. The reference built-in filter.
565fn register_currency_filter(env: &mut Environment<'static>) {
566    env.add_filter("currency", |amount: f64, code: Option<String>| -> String {
567        let code = code.unwrap_or_else(|| "USD".to_string());
568        let symbol = match code.as_str() {
569            "USD" | "AUD" | "CAD" | "NZD" => "$",
570            "EUR" => "€",
571            "GBP" => "£",
572            "JPY" | "CNY" => "¥",
573            "KES" => "KSh ",
574            _ => "",
575        };
576        // Sign goes outside the symbol: -$12.40, not $-12.40.
577        let sign = if amount < 0.0 { "-" } else { "" };
578        let body = group_thousands(amount.abs());
579        if symbol.is_empty() {
580            format!("{sign}{body} {code}")
581        } else {
582            format!("{sign}{symbol}{body}")
583        }
584    });
585}
586
587/// Format a float with two decimals and comma thousands separators on the
588/// integer part: `1234567.5 -> "1,234,567.50"`, `-12.4 -> "-12.40"`.
589fn group_thousands(amount: f64) -> String {
590    let negative = amount.is_sign_negative() && amount != 0.0;
591    let formatted = format!("{:.2}", amount.abs());
592    let (int_part, frac_part) = formatted.split_once('.').unwrap_or((&formatted, "00"));
593
594    let mut grouped = String::new();
595    let digits: Vec<char> = int_part.chars().collect();
596    for (i, ch) in digits.iter().enumerate() {
597        if i > 0 && (digits.len() - i) % 3 == 0 {
598            grouped.push(',');
599        }
600        grouped.push(*ch);
601    }
602    format!("{}{grouped}.{frac_part}", if negative { "-" } else { "" })
603}
604
605/// features.md #4 — register the `sanitize` filter: clean a string of
606/// HTML (e.g. the output of the admin's RTE widget, which stores
607/// HTML rather than markdown) down to ammonia's safe allowlist and
608/// hand it to the template as a safe string.
609///
610/// `{{ body | sanitize }}` is the display companion to the `rte`
611/// widget the way `{{ body | markdown }}` is to the `markdown` widget:
612/// the stored value is HTML, so it's sanitized — never trusted — before
613/// it reaches the page. A value tampered with via the REST write path
614/// (which doesn't go through the editor) is made safe here.
615fn register_sanitize_filter(env: &mut Environment<'static>) {
616    env.add_filter("sanitize", |input: String| -> minijinja::Value {
617        minijinja::Value::from_safe_string(sanitize_html(&input))
618    });
619}
620
621/// Clean `input` HTML down to ammonia's safe allowlist (strips
622/// `<script>`, event handlers, `javascript:` URLs, etc.). The
623/// non-markdown sibling of [`render_markdown`] — use it on stored HTML
624/// (the RTE widget's output).
625pub fn sanitize_html(input: &str) -> String {
626    ammonia::clean(input)
627}
628
629/// The class prefix syntect token spans carry (`hl-keyword`, `hl-string`,
630/// `hl-source`, …). Shared by the highlighter and the generated
631/// stylesheet so the two never drift.
632const HL_PREFIX: &str = "hl-";
633
634fn hl_class_style() -> ClassStyle {
635    ClassStyle::SpacedPrefixed { prefix: HL_PREFIX }
636}
637
638/// The bundled syntect syntax set, loaded once. The load parses a binary
639/// dump and is expensive, so it is cached for the life of the process.
640fn syntax_set() -> &'static SyntaxSet {
641    static SYNTAX_SET: OnceLock<SyntaxSet> = OnceLock::new();
642    SYNTAX_SET.get_or_init(SyntaxSet::load_defaults_newlines)
643}
644
645/// The `base16-ocean.dark` token stylesheet, generated once from syntect's
646/// bundled theme with the `hl-` class prefix. This is the single source of
647/// truth for token colors — the markdown highlighter emits matching
648/// classes. Returns `""` only if syntect cannot generate the CSS (it
649/// always can for a bundled theme), so callers never need to handle an
650/// error.
651pub fn highlight_css() -> &'static str {
652    static HIGHLIGHT_CSS: OnceLock<String> = OnceLock::new();
653    HIGHLIGHT_CSS
654        .get_or_init(|| {
655            let themes = ThemeSet::load_defaults();
656            match themes.themes.get("base16-ocean.dark") {
657                Some(theme) => {
658                    css_for_theme_with_class_style(theme, hl_class_style()).unwrap_or_default()
659                }
660                None => String::new(),
661            }
662        })
663        .as_str()
664}
665
666/// Return `true` iff every character in a fence info token is safe to
667/// embed verbatim in a `class="language-…"` HTML attribute value.
668///
669/// A legitimate language token is just a word: `rust`, `c++`, `c#`,
670/// `shell`, `text/plain`, etc. It never needs `<`, `>`, `"`, `'`, `=`,
671/// backticks, or whitespace. Rejecting those characters closes the
672/// class-injection vector that would otherwise let a hostile fence like
673/// `` ```<script>alert(1)</script> `` survive ammonia's pass (ammonia
674/// allows `class` on `<code>` but does not filter the attribute VALUE).
675fn fence_lang_is_safe(lang: &str) -> bool {
676    !lang.is_empty()
677        && lang.len() <= 64
678        && lang.chars().all(|c| {
679            c.is_ascii_alphanumeric()
680                || matches!(c, '+' | '-' | '_' | '.' | '#' | '/' | '@')
681        })
682}
683
684/// Render one fenced code block to safe HTML. `lang` is the fence info
685/// token (`Some("rust")`) or `None` for an unlabelled / indented block.
686/// With a known language the body is syntect-highlighted into `hl-` token
687/// spans; otherwise — or on any highlighter error — it falls back to a
688/// plain escaped block that still carries `class="language-…"` so the
689/// `md-enhance.js` label keeps working. Never panics, never drops the
690/// user's code.
691fn highlight_code_block(lang: Option<&str>, src: &str) -> String {
692    // Validate the lang token before touching it. A hostile fence info
693    // string (e.g. `<script>alert(1)</script>`) must never land in the
694    // `class="language-…"` attribute value even after HTML-escaping,
695    // because ammonia re-parses the tree and may not re-escape `<`/`>`
696    // that appear inside attribute values of allowed elements. Treating
697    // an unsafe token as `None` produces a plain unlabelled code block
698    // (still safe and still readable) rather than a class-injection path.
699    let lang = lang.filter(|l| fence_lang_is_safe(l));
700
701    let ss = syntax_set();
702    let syntax = lang.and_then(|l| {
703        ss.find_syntax_by_token(l)
704            .or_else(|| ss.find_syntax_by_extension(l))
705    });
706    if let Some(syntax) = syntax {
707        let mut generator =
708            ClassedHTMLGenerator::new_with_class_style(syntax, ss, hl_class_style());
709        let mut ok = true;
710        for line in LinesWithEndings::from(src) {
711            if generator
712                .parse_html_for_line_which_includes_newline(line)
713                .is_err()
714            {
715                ok = false;
716                break;
717            }
718        }
719        if ok {
720            // `finalize()` returns safe `<span class="hl-…">` markup —
721            // pass it through unescaped.
722            return wrap_code_block(lang, &generator.finalize());
723        }
724    }
725    // Fallback: escape the raw text so it is inert, then wrap.
726    let mut escaped = String::with_capacity(src.len());
727    html_escape_into(&mut escaped, src);
728    wrap_code_block(lang, &escaped)
729}
730
731/// Wrap inner code HTML (token spans, or escaped plain text) in
732/// `<pre><code class="language-…">` so the md-enhance frame + language
733/// label attach. The language token is HTML-escaped before it lands in the
734/// class value (it comes straight from the fence info string).
735fn wrap_code_block(lang: Option<&str>, inner: &str) -> String {
736    let mut out = String::with_capacity(inner.len() + 48);
737    out.push_str("<pre><code");
738    if let Some(l) = lang {
739        out.push_str(" class=\"language-");
740        html_escape_into(&mut out, l);
741        out.push('"');
742    }
743    out.push('>');
744    out.push_str(inner);
745    out.push_str("</code></pre>");
746    out
747}
748
749/// Render CommonMark + GFM `input` to sanitized HTML. Pulled out of the
750/// filter closure so it's unit-testable and reusable by any future
751/// Rust-side caller (e.g. a REST endpoint that returns pre-rendered
752/// HTML).
753pub fn render_markdown(input: &str) -> String {
754    use pulldown_cmark::{CodeBlockKind, Event, Options, Parser, Tag, TagEnd, html};
755
756    let mut options = Options::empty();
757    options.insert(Options::ENABLE_TABLES);
758    options.insert(Options::ENABLE_STRIKETHROUGH);
759    options.insert(Options::ENABLE_TASKLISTS);
760    options.insert(Options::ENABLE_FOOTNOTES);
761
762    let parser = Parser::new_ext(input, options);
763
764    // Rewrite the event stream: replace each code block with a single
765    // pre-highlighted Html event. The fence info token selects the syntect
766    // syntax; everything else passes through unchanged.
767    let mut events: Vec<Event> = Vec::new();
768    let mut in_code = false;
769    let mut code_lang: Option<String> = None;
770    let mut code_buf = String::new();
771    for event in parser {
772        match event {
773            Event::Start(Tag::CodeBlock(kind)) => {
774                in_code = true;
775                code_buf.clear();
776                code_lang = match kind {
777                    CodeBlockKind::Fenced(info) => {
778                        info.split_whitespace().next().map(str::to_string)
779                    }
780                    CodeBlockKind::Indented => None,
781                };
782            }
783            Event::End(TagEnd::CodeBlock) => {
784                in_code = false;
785                let highlighted = highlight_code_block(code_lang.as_deref(), &code_buf);
786                events.push(Event::Html(highlighted.into()));
787            }
788            Event::Text(text) if in_code => code_buf.push_str(&text),
789            other => events.push(other),
790        }
791    }
792
793    let mut rendered = String::new();
794    html::push_html(&mut rendered, events.into_iter());
795
796    // Sanitize. `pre`/`code`/`span` are already default-allowed tags, so we
797    // widen the allowlist by exactly one inert attribute — `class` on those
798    // three — letting syntect's `hl-` token spans and the `language-*` label
799    // survive. style / on* handlers / javascript: URLs stay stripped: this is
800    // the whole "safely" surface. Built per call: ammonia::Builder isn't Sync
801    // (boxed attribute_filter), so it can't be a shared static without a Mutex
802    // that would serialize rendering; this costs the same as ammonia::clean.
803    let mut cleaner = ammonia::Builder::default();
804    cleaner.add_tag_attributes("pre", &["class"]);
805    cleaner.add_tag_attributes("code", &["class"]);
806    cleaner.add_tag_attributes("span", &["class"]);
807    cleaner.clean(&rendered).to_string()
808}
809
810/// Tiny HTML attribute-value escape — covers the four characters
811/// that can break out of a double-quoted attribute context.
812/// Centralised here because the framework doesn't otherwise need
813/// to ship an html_escape crate dep just for the img filter.
814fn html_escape_into(out: &mut String, s: &str) {
815    for ch in s.chars() {
816        match ch {
817            '&' => out.push_str("&amp;"),
818            '<' => out.push_str("&lt;"),
819            '>' => out.push_str("&gt;"),
820            '"' => out.push_str("&quot;"),
821            '\'' => out.push_str("&#39;"),
822            c => out.push(c),
823        }
824    }
825}
826
827fn register_default_templates(
828    env: &mut Environment<'static>,
829    seen: &mut std::collections::HashSet<String>,
830) {
831    let entries = [
832        (
833            crate::errors::DEFAULT_404_TEMPLATE_NAME,
834            crate::errors::DEFAULT_404_HTML,
835        ),
836        (
837            crate::errors::DEFAULT_500_TEMPLATE_NAME,
838            crate::errors::DEFAULT_500_HTML,
839        ),
840    ];
841    for (name, source) in entries {
842        if seen.contains(name) {
843            continue; // already provided by user — skip
844        }
845        // These are compile-time constants so they're `&'static str`; we can
846        // add them without cloning via `add_template` (non-owned variant).
847        if env.add_template(name, source).is_ok() {
848            seen.insert(name.to_string());
849        }
850    }
851}
852
853/// Publish the template engine into the process-wide ambient handle.
854///
855/// `dirs` is the ordered list of directories to search — the first
856/// entry is searched first (highest priority). Typically this is:
857/// `[app_templates_dir, plugin_a_dir, plugin_b_dir, ...]`.
858///
859/// For each directory in order, every `.html` / `.htm` / `.txt` file is
860/// registered under its path-relative-to-that-dir name. If a name was
861/// already registered by an earlier directory, the later file is skipped
862/// and a `tracing::warn!` is emitted so the collision is visible.
863///
864/// If none of the directories exist, init succeeds with an empty engine.
865/// This is the right default for binaries that don't render HTML.
866///
867/// Returns the list of template names that collided (appeared in more
868/// than one directory). The caller (`App::build`) logs these via tracing.
869/// Tests can inspect the returned list to assert collision detection
870/// without needing a tracing subscriber.
871pub fn init(dirs: &[PathBuf]) -> Result<Vec<String>, TemplateError> {
872    let (env, collisions) = build_env(dirs)?;
873
874    for name in &collisions {
875        tracing::warn!(
876            template = %name,
877            "umbral templates: template `{name}` is provided by multiple directories; \
878             the first-registered copy wins"
879        );
880    }
881
882    // Stash the dirs so the dev-mode render path can rebuild the env
883    // on demand without re-running the (more expensive) init flow.
884    let _ = WATCHED_DIRS.set(dirs.to_vec());
885
886    ENGINE
887        .set(env)
888        .map_err(|_| TemplateError::AlreadyInitialised)?;
889    Ok(collisions)
890}
891
892/// Like [`init`], but also installs plugin-contributed
893/// [`TemplateRegistrar`]s (feature #67). The registrars are stashed in
894/// the process-wide [`REGISTRARS`] handle *before* the engine is built so
895/// [`build_env`] applies them — both here and on every dev-mode rebuild.
896///
897/// Called by `App::build` with the flattened registrars from every
898/// plugin's `template_registrars()`, in topological order. The plain
899/// [`init`] stays the no-plugin entry point used by template unit tests.
900pub fn init_with(
901    dirs: &[PathBuf],
902    registrars: Vec<TemplateRegistrar>,
903) -> Result<Vec<String>, TemplateError> {
904    // Set even when empty so a second (errant) init can't smuggle in a
905    // different registrar set behind the already-published engine.
906    let _ = REGISTRARS.set(registrars);
907    init(dirs)
908}
909
910/// Build a fresh `Environment` from the given dirs. Shared by the
911/// init path and the dev-mode hot-reload path; both produce
912/// bit-identical engines from the same input.
913fn build_env(dirs: &[PathBuf]) -> Result<(Environment<'static>, Vec<String>), TemplateError> {
914    let mut env = Environment::new();
915    // Autoescape extensions MUST stay in sync with the loader
916    // whitelist in `load_directory` (currently `html | htm | txt`).
917    // If you add `.svg` or `.xml` to the loader, add them HERE too
918    // — `.svg` carries inline-script XSS risk and `.xml` is generally
919    // parsed by something downstream that wants attribute escaping.
920    // `.txt` stays `None` because plaintext rendering shouldn't HTML-
921    // escape (would replace `<` with `&lt;` in plain email bodies).
922    env.set_auto_escape_callback(|name| {
923        if name.ends_with(".html") || name.ends_with(".htm") {
924            AutoEscape::Html
925        } else {
926            AutoEscape::None
927        }
928    });
929
930    // gaps2 #21 — register the `img` filter for ergonomic, perf-
931    // forward image markup. `{{ url | img(alt="...", width=400,
932    // height=300) }}` expands to a fully-formed `<img>` with the
933    // hat-trick that catches LCP regressions out of the box:
934    // `loading="lazy"`, `decoding="async"`, explicit `width`/
935    // `height` to reserve layout space (no CLS), and an `alt`
936    // attribute that's empty rather than omitted (screen-reader-
937    // friendly default for purely decorative images). Optional
938    // `class="..."` flows through for Tailwind / scoped styling.
939    register_img_filter(&mut env);
940
941    // `{{ highlight_styles() }}` — the syntect token stylesheet for
942    // server-highlighted code, emitted once into <head> by a base template.
943    register_highlight_styles_function(&mut env);
944
945    // Unified static pipeline — `{{ static("admin/admin.css") }}`
946    // expands to `<static_url>admin/admin.css`. The `static_url` is read
947    // from ambient settings (defaulting to `/static/` when settings
948    // aren't initialised yet, e.g. in a bare template unit test) and
949    // captured into the function closure. See `register_static_function`.
950    let static_url = crate::settings::get_opt()
951        .map(|s| s.static_url.clone())
952        .unwrap_or_else(|| "/static/".to_string());
953    register_static_function(&mut env, static_url);
954
955    // `{{ media_url(plugin.logo) }}` resolves a stored file/image KEY
956    // through the ambient Storage backend's `url()`, the media-side
957    // companion to `static()`. ImageField/FileField serialize as the
958    // bare key; this turns it into the public URL. See
959    // `register_media_url_function`.
960    register_media_url_function(&mut env);
961
962    // features.md #4 — `{{ body | markdown }}` renders user-supplied
963    // CommonMark/GFM to sanitized HTML. The reusable "safely show a
964    // body/usage field" surface shared by the admin and end-user
965    // templates; pairs with `#[umbral(widget = "markdown")]` on the
966    // model field that captures the source.
967    register_markdown_filter(&mut env);
968
969    // features.md #4 — `{{ html | sanitize }}` cleans stored HTML (the
970    // `rte` admin widget's output) to a safe allowlist. The HTML-side
971    // companion to the markdown filter.
972    register_sanitize_filter(&mut env);
973
974    // gaps2 #19 follow-up — render `None` / `Undefined` as the
975    // empty string instead of the literal "none" / "undefined" tokens
976    // MiniJinja defaults to. Bug screenshot 2026-06-10 01-08-30: an
977    // `Option<String>` model field with `value=None` rendered into
978    // `<input value="{{ form.phone }}">` produced `value="none"` on a
979    // fresh form, which the user then has to manually clear before
980    // typing. Every form with optional fields hit this footgun.
981    //
982    // Defining a custom formatter is the framework-level fix — every
983    // template (admin, shop, plugins) inherits the new behaviour
984    // automatically. Non-null/non-undefined values pass through the
985    // default formatter unchanged so HTML escaping, number / bool /
986    // string rendering, and safe-string handling stay identical.
987    env.set_formatter(|out, state, value| {
988        if value.is_none() || value.is_undefined() {
989            return Ok(());
990        }
991        minijinja::escape_formatter(out, state, value)
992    });
993
994    // features.md #67 — built-in example tags/filters. These ship as the
995    // reference implementations for the custom-tag surface: `now()` for a
996    // server-rendered timestamp, `currency` for money formatting. Plugins
997    // add their own via `Plugin::template_registrars` (applied below).
998    register_now_function(&mut env);
999    register_currency_filter(&mut env);
1000
1001    // features #65 — `{{ querystring_with(base_query, "page", item.n) }}`
1002    // rebuilds the current querystring replacing one key, so the bundled
1003    // `_pagination.html` nav carries `?sort=...` filters across every
1004    // `?page=N` link. See `register_querystring_with_function`.
1005    register_querystring_with_function(&mut env);
1006
1007    // features.md #67 — plugin-contributed filters/functions. Applied
1008    // AFTER the built-ins so a plugin can deliberately override one by
1009    // re-registering the same name (minijinja's add_* overwrites). Runs
1010    // on every rebuild (dev hot-reload) because `Fn`, not `FnOnce`.
1011    if let Some(registrars) = REGISTRARS.get() {
1012        for registrar in registrars {
1013            registrar(&mut env);
1014        }
1015    }
1016
1017    let mut seen: HashSet<String> = HashSet::new();
1018    let mut collisions: Vec<String> = Vec::new();
1019
1020    // Register the built-in default error templates before scanning disk
1021    // directories. Because disk directories are first-match-wins and are
1022    // scanned after this call, a user template with the same name (unlikely,
1023    // since the `__umbral__/` prefix is reserved) would silently replace the
1024    // built-in. Callers who want a clean opt-out should use
1025    // `App::builder().disable_default_error_pages()`.
1026    register_default_templates(&mut env, &mut seen);
1027
1028    for dir in dirs {
1029        if dir.exists() {
1030            load_directory(&mut env, dir, dir, &mut seen, &mut collisions)?;
1031        }
1032    }
1033
1034    Ok((env, collisions))
1035}
1036
1037/// Render a template by name with a serde-serializable context value.
1038///
1039/// The name is the path relative to its templates directory, with
1040/// forward slashes regardless of host OS. `articles_list.html`,
1041/// `admin/base.html`, etc.
1042///
1043/// Returns `TemplateError::NotInitialised` if `App::build()` hasn't
1044/// run yet, `TemplateError::Missing` if the name doesn't match a
1045/// loaded template, and `TemplateError::Render` for any minijinja-
1046/// reported issue (syntax error, missing variable when strict undefined
1047/// is on, etc.).
1048pub fn render<C: Serialize>(name: &str, ctx: &C) -> Result<String, TemplateError> {
1049    // Dev-mode hot reload: when settings.environment == Dev, rebuild
1050    // the environment from disk on every render so template edits are
1051    // picked up without a server restart. This makes the dev loop —
1052    // edit `home.html`, hit reload, see the change — work without
1053    // `cargo run`-ing again. Production stays on the cached engine
1054    // for the fast path.
1055    //
1056    // Cost: one disk walk + minijinja parse per render in dev. For a
1057    // typical handler doing one render per request at ~10 RPS during
1058    // development, that's negligible. We chose this over per-file
1059    // stat checks because the per-render rebuild is dependency-free
1060    // and the staleness window is zero (a save followed instantly
1061    // by a reload always sees the new content).
1062    if dev_mode_active() {
1063        if let Some(dirs) = WATCHED_DIRS.get() {
1064            // Rebuild fresh; ignore collisions log here (init already
1065            // logged them once; we don't spam every render).
1066            match build_env(dirs) {
1067                Ok((env, _collisions)) => return render_with(&env, name, ctx),
1068                Err(e) => return Err(e),
1069            }
1070        }
1071    }
1072
1073    let env = ENGINE.get().ok_or(TemplateError::NotInitialised)?;
1074    render_with(env, name, ctx)
1075}
1076
1077/// Render an inline template source through the ambient-context path.
1078/// Test/bench helper only.
1079#[doc(hidden)]
1080pub fn render_str<C: Serialize>(src: &str, ctx: &C) -> Result<String, TemplateError> {
1081    let mut env = minijinja::Environment::new();
1082    env.add_template("__inline", src)
1083        .map_err(TemplateError::Render)?;
1084    render_with(&env, "__inline", ctx)
1085}
1086
1087/// True when the ambient settings say we're in Dev. Returns false if
1088/// settings haven't been initialised (production-style binaries that
1089/// never went through `App::build()`).
1090fn dev_mode_active() -> bool {
1091    crate::settings::get_opt()
1092        .map(|s| matches!(s.environment, crate::settings::Environment::Dev))
1093        .unwrap_or(false)
1094}
1095
1096/// Render a named template against the given env. Extracted so dev-mode
1097/// (fresh env per render) and prod (cached env) share one error mapping.
1098fn render_with<C: Serialize>(
1099    env: &Environment<'_>,
1100    name: &str,
1101    ctx: &C,
1102) -> Result<String, TemplateError> {
1103    let tmpl = env.get_template(name).map_err(|e| match e.kind() {
1104        minijinja::ErrorKind::TemplateNotFound => TemplateError::Missing(name.to_string()),
1105        _ => TemplateError::Render(e),
1106    })?;
1107    let merged = merge_ambient_context(ctx);
1108    tmpl.render(&merged).map_err(TemplateError::Render)
1109}
1110
1111/// Merge the ambient task-locals into a serializable template context:
1112/// `user` (from `CURRENT_USER`) and the CSRF pair `csrf_token` /
1113/// `csrf_input` (from `CURRENT_CSRF`). The handler's own keys always
1114/// win — the ambient injection is the default, not an override.
1115///
1116/// `user` is injected unconditionally (anonymous fallback below);
1117/// the CSRF pair only when a middleware actually scoped a token —
1118/// there is no meaningful fallback token, and rendering an empty
1119/// hidden input would make a form post a guaranteed-403 silently.
1120///
1121/// Most code should use [`render`], which calls this automatically.
1122/// Plugins that own a private MiniJinja environment can call this before
1123/// `Template::render` to get the same `{{ user }}`, `{{ csrf_token }}`,
1124/// and `{{ csrf_input }}` semantics as the framework renderer.
1125pub fn merge_ambient_context<C: Serialize>(ctx: &C) -> minijinja::Value {
1126    let ctx_value = minijinja::Value::from_serialize(ctx);
1127    merge_ambient_value(ctx_value)
1128}
1129
1130/// Same as [`merge_ambient_context`], but accepts an already-built
1131/// MiniJinja [`Value`](minijinja::Value). This is useful for private
1132/// plugin renderers that build context with `minijinja::context!`.
1133pub fn merge_ambient_value(ctx_value: minijinja::Value) -> minijinja::Value {
1134    let has = |key: &str| {
1135        ctx_value
1136            .get_attr(key)
1137            .map(|v| !v.is_undefined())
1138            .unwrap_or(false)
1139    };
1140
1141    let need_user = !has("user");
1142    let csrf = current_csrf();
1143    let need_csrf = csrf.is_some() && !(has("csrf_token") && has("csrf_input"));
1144
1145    if !need_user && !need_csrf {
1146        return ctx_value;
1147    }
1148
1149    // Build a fresh object that contains every original key plus the
1150    // ambient ones. minijinja's `Value::from_iter` over (key, value)
1151    // pairs produces a Map value; we walk the original keys and add
1152    // ours last.
1153    let mut pairs: Vec<(String, minijinja::Value)> = Vec::new();
1154    if let Ok(keys) = ctx_value.try_iter() {
1155        for key in keys {
1156            let key_str = key.to_string();
1157            if let Ok(v) = ctx_value.get_item(&key) {
1158                pairs.push((key_str, v));
1159            }
1160        }
1161    }
1162
1163    if need_user {
1164        // Resolve which `user` value should land in the rendered ctx:
1165        //   1. Task-local set by a middleware (AuthPlugin's
1166        //      `user_context_layer`) — the live request shape.
1167        //   2. Anonymous fallback `{ is_authenticated: false }` for
1168        //      callers WITHOUT a layer mounted AND for renders that
1169        //      happen outside the middleware's scope (notably the
1170        //      `render_500_middleware` recovery path — the
1171        //      user-context task-local has already dropped by the time
1172        //      the error layer renders, but the 500 template still
1173        //      needs `user.is_authenticated` to evaluate cleanly).
1174        //
1175        // The fallback is the same shape `serialize_anonymous` would
1176        // produce, kept in core so umbral-auth isn't a dependency of
1177        // the templates module.
1178        // Prefer the lazy channel (proxy defers resolution until attribute access),
1179        // then the eager task-local, then the anonymous fallback.
1180        let user_value = if let Ok(lazy) = CURRENT_USER_LAZY.try_with(|lazy| lazy.clone()) {
1181            lazy.into_proxy_value()
1182        } else if let Some(v) = CURRENT_USER.try_with(|u| u.clone()).ok().flatten() {
1183            v
1184        } else {
1185            anonymous_user_value()
1186        };
1187        pairs.push(("user".to_string(), user_value));
1188    }
1189
1190    if let Some(token) = csrf {
1191        if !has("csrf_token") {
1192            pairs.push((
1193                "csrf_token".to_string(),
1194                minijinja::Value::from(token.clone()),
1195            ));
1196        }
1197        if !has("csrf_input") {
1198            // Today's tokens are hex (signed mode adds `.` + hex sig),
1199            // so the escape is belt-and-braces against a future
1200            // token-shape change — not a live attack surface.
1201            let escaped = token
1202                .replace('&', "&amp;")
1203                .replace('"', "&quot;")
1204                .replace('<', "&lt;")
1205                .replace('>', "&gt;");
1206            pairs.push((
1207                "csrf_input".to_string(),
1208                minijinja::Value::from_safe_string(format!(
1209                    r#"<input type="hidden" name="csrf_token" value="{escaped}">"#
1210                )),
1211            ));
1212        }
1213    }
1214
1215    minijinja::Value::from_iter(pairs)
1216}
1217
1218/// Anonymous-user sentinel — the value `user` resolves to in
1219/// templates rendered outside an authenticated context (no auth
1220/// middleware, anonymous request, or the 500-rendering path
1221/// where the middleware's task-local has already dropped).
1222/// Carries only `{ is_authenticated: false }` — enough for
1223/// `{% if user.is_authenticated %}` / `{% if user.is_staff %}`
1224/// to evaluate to false without `umbral templates: undefined
1225/// value` errors that would otherwise mask the original failure.
1226fn anonymous_user_value() -> minijinja::Value {
1227    let mut map = serde_json::Map::new();
1228    map.insert(
1229        "is_authenticated".to_string(),
1230        serde_json::Value::Bool(false),
1231    );
1232    // is_staff / is_superuser default to false too so a template
1233    // gating on either doesn't accidentally render the privileged
1234    // branch when `user` is the anonymous fallback.
1235    map.insert("is_staff".to_string(), serde_json::Value::Bool(false));
1236    map.insert("is_superuser".to_string(), serde_json::Value::Bool(false));
1237    minijinja::Value::from_serialize(serde_json::Value::Object(map))
1238}
1239
1240/// Walk a directory recursively and register every `.html` / `.htm` /
1241/// `.txt` file as a template under its path-relative-to-root name.
1242/// Subdirectories are reachable via forward-slash names: `admin/base.html`.
1243///
1244/// `seen` tracks which names have already been registered across all
1245/// directories. When a name collision is detected (a later directory
1246/// ships a template with the same relative name as an earlier one),
1247/// the duplicate is skipped and the name is appended to `collisions`.
1248/// First-match-wins.
1249fn load_directory(
1250    env: &mut Environment<'static>,
1251    root: &Path,
1252    dir: &Path,
1253    seen: &mut HashSet<String>,
1254    collisions: &mut Vec<String>,
1255) -> Result<(), TemplateError> {
1256    for entry in std::fs::read_dir(dir)? {
1257        let entry = entry?;
1258        let path = entry.path();
1259        if path.is_dir() {
1260            load_directory(env, root, &path, seen, collisions)?;
1261            continue;
1262        }
1263        let Some(ext) = path.extension().and_then(|e| e.to_str()) else {
1264            continue;
1265        };
1266        if !matches!(ext, "html" | "htm" | "txt") {
1267            continue;
1268        }
1269        let rel: PathBuf = path
1270            .strip_prefix(root)
1271            .expect("walked path is rooted at the templates dir")
1272            .to_path_buf();
1273        // minijinja template names are forward-slashed regardless of OS;
1274        // the path display would emit `\` on Windows, so build the name
1275        // explicitly.
1276        let name: String = rel
1277            .components()
1278            .map(|c| c.as_os_str().to_string_lossy().to_string())
1279            .collect::<Vec<_>>()
1280            .join("/");
1281
1282        if seen.contains(&name) {
1283            // Collision: a higher-priority directory already registered
1284            // this name. Record it and skip; init will log after all
1285            // dirs are processed.
1286            if !collisions.contains(&name) {
1287                collisions.push(name.clone());
1288            }
1289            continue;
1290        }
1291
1292        let source = std::fs::read_to_string(&path)?;
1293        env.add_template_owned(name.clone(), source)
1294            .map_err(TemplateError::Render)?;
1295        seen.insert(name);
1296    }
1297    Ok(())
1298}
1299
1300/// Errors the template engine can produce. Narrow at v1: load-time IO,
1301/// engine-not-ready, missing template, render-time minijinja error.
1302#[derive(Debug)]
1303pub enum TemplateError {
1304    /// `App::build()` hasn't run yet, so the ambient engine isn't set.
1305    NotInitialised,
1306    /// `init` was called twice — a programming error in the framework
1307    /// itself, not the user. Surfaced as a `BuildError` if it ever fires.
1308    AlreadyInitialised,
1309    /// IO error reading a template file at boot.
1310    Io(std::io::Error),
1311    /// The requested template name isn't loaded.
1312    Missing(String),
1313    /// Any other minijinja error (syntax, render-time, etc.). The
1314    /// inner `minijinja::Error` carries the diagnostic (line / col /
1315    /// undefined name) so the caller can pass it through `Display`.
1316    Render(minijinja::Error),
1317}
1318
1319impl std::fmt::Display for TemplateError {
1320    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
1321        match self {
1322            TemplateError::NotInitialised => write!(
1323                f,
1324                "umbral templates: engine not initialised — call App::build() first"
1325            ),
1326            TemplateError::AlreadyInitialised => {
1327                write!(f, "umbral templates: init called more than once")
1328            }
1329            TemplateError::Io(e) => write!(f, "umbral templates: io: {e}"),
1330            TemplateError::Missing(name) => write!(
1331                f,
1332                "umbral templates: no template named `{name}`; check the templates directory"
1333            ),
1334            TemplateError::Render(e) => write!(f, "umbral templates: {e}"),
1335        }
1336    }
1337}
1338
1339impl std::error::Error for TemplateError {}
1340
1341impl From<std::io::Error> for TemplateError {
1342    fn from(e: std::io::Error) -> Self {
1343        Self::Io(e)
1344    }
1345}
1346
1347#[cfg(test)]
1348mod tests {
1349    use super::*;
1350    use serde_json::json;
1351
1352    #[test]
1353    fn img_url_scheme_safety() {
1354        // Relative + http(s) are allowed.
1355        assert!(url_scheme_is_safe("/media/cat.png"));
1356        assert!(url_scheme_is_safe("cat.png"));
1357        assert!(url_scheme_is_safe("../up/cat.png"));
1358        assert!(url_scheme_is_safe("http://example.com/cat.png"));
1359        assert!(url_scheme_is_safe("https://example.com/cat.png"));
1360        assert!(url_scheme_is_safe("HTTPS://EXAMPLE.com/cat.png"));
1361        assert!(url_scheme_is_safe("?query=only"));
1362        assert!(url_scheme_is_safe("#fragment"));
1363        // Dangerous / non-http schemes are rejected.
1364        assert!(!url_scheme_is_safe("javascript:alert(1)"));
1365        assert!(!url_scheme_is_safe("  javascript:alert(1)"));
1366        assert!(!url_scheme_is_safe("JaVaScRiPt:alert(1)"));
1367        assert!(!url_scheme_is_safe(
1368            "data:text/html,<script>alert(1)</script>"
1369        ));
1370        assert!(!url_scheme_is_safe("vbscript:msgbox(1)"));
1371        assert!(!url_scheme_is_safe("mailto:a@b.com"));
1372        // Malformed scheme (embedded control char) fails closed.
1373        assert!(!url_scheme_is_safe("java\u{0}script:alert(1)"));
1374    }
1375
1376    #[test]
1377    fn img_filter_neutralises_javascript_url() {
1378        let mut env = minijinja::Environment::new();
1379        register_img_filter(&mut env);
1380        env.add_template("t", "{{ url | img }}").unwrap();
1381        let tmpl = env.get_template("t").unwrap();
1382        let out = tmpl
1383            .render(minijinja::context! { url => "javascript:alert(1)" })
1384            .unwrap();
1385        assert!(
1386            !out.contains("javascript:"),
1387            "javascript: URL must be neutralised; got {out}"
1388        );
1389        assert!(out.contains("src=\"\""), "expected empty src; got {out}");
1390    }
1391
1392    #[test]
1393    fn nested_template_names_are_relative_to_templates_root() {
1394        let tmp = tempfile::tempdir().expect("create temp dir");
1395        let templates = tmp.path().join("templates");
1396        std::fs::create_dir_all(templates.join("base")).expect("create base template dir");
1397        std::fs::create_dir_all(templates.join("content")).expect("create content template dir");
1398
1399        std::fs::write(
1400            templates.join("base").join("site.html"),
1401            "<main>{% block content %}{% endblock %}</main>",
1402        )
1403        .expect("write nested base template");
1404        std::fs::write(
1405            templates.join("content").join("contact.html"),
1406            r#"{% extends "base/site.html" %}{% block content %}<h1>{{ title }}</h1><p>Contact from nested content.</p>{% endblock %}"#,
1407        )
1408        .expect("write nested content template");
1409
1410        let (env, collisions) = build_env(&[templates]).expect("build template env");
1411        assert!(collisions.is_empty());
1412
1413        let rendered = render_with(
1414            &env,
1415            "content/contact.html",
1416            &json!({ "title": "Nested contact" }),
1417        )
1418        .expect("render nested template by relative name");
1419
1420        assert!(rendered.contains("<main>"));
1421        assert!(rendered.contains("<h1>Nested contact</h1>"));
1422        assert!(rendered.contains("Contact from nested content."));
1423    }
1424
1425    /// Render `{{ static(arg) }}` against an env whose `static()` was
1426    /// registered with the given `static_url`. Exercises the helper
1427    /// directly without needing the ambient `Settings` OnceLock (which
1428    /// can't be set under cargo's parallel test runner).
1429    fn render_static(static_url: &str, arg: &str) -> String {
1430        let mut env = Environment::new();
1431        register_static_function(&mut env, static_url.to_string());
1432        env.add_template("t.txt", "{{ static(arg) }}")
1433            .expect("add template");
1434        let tmpl = env.get_template("t.txt").expect("get template");
1435        tmpl.render(json!({ "arg": arg })).expect("render")
1436    }
1437
1438    #[test]
1439    fn static_helper_prepends_root_relative_url() {
1440        assert_eq!(
1441            render_static("/static/", "admin/admin.css"),
1442            "/static/admin/admin.css"
1443        );
1444    }
1445
1446    #[test]
1447    fn static_helper_prepends_cdn_origin() {
1448        assert_eq!(
1449            render_static("https://cdn.example.com/s/", "admin/admin.css"),
1450            "https://cdn.example.com/s/admin/admin.css"
1451        );
1452    }
1453
1454    #[test]
1455    fn static_helper_does_not_double_slash_on_leading_slash_arg() {
1456        assert_eq!(render_static("/static/", "/admin/x"), "/static/admin/x");
1457    }
1458
1459    #[test]
1460    fn highlight_css_contains_hl_rules() {
1461        let css = highlight_css();
1462        assert!(!css.is_empty(), "generated theme CSS should not be empty");
1463        assert!(
1464            css.contains(".hl-"),
1465            "theme CSS must target hl- classes: {css}"
1466        );
1467    }
1468
1469    #[test]
1470    fn fenced_rust_block_gets_syntect_token_spans() {
1471        let html = render_markdown("```rust\nfn main() {}\n```\n");
1472        assert!(
1473            html.contains("language-rust"),
1474            "keeps the language class for the md-enhance label: {html}"
1475        );
1476        assert!(
1477            html.contains("class=\"hl-"),
1478            "emits syntect hl- token spans: {html}"
1479        );
1480    }
1481
1482    #[test]
1483    fn script_in_code_fence_is_escaped_not_executed() {
1484        let html = render_markdown("```\n<script>alert(1)</script>\n```\n");
1485        assert!(!html.contains("<script>"), "no live script tag: {html}");
1486        assert!(
1487            html.contains("&lt;script&gt;"),
1488            "rendered as inert text: {html}"
1489        );
1490    }
1491
1492    #[test]
1493    fn prose_script_is_still_stripped() {
1494        let html = render_markdown("hello <script>alert(1)</script> world");
1495        assert!(!html.contains("<script>"), "prose script stripped: {html}");
1496    }
1497
1498    #[test]
1499    fn markdown_allows_class_but_not_style() {
1500        let html = render_markdown("<span class=\"x\" style=\"color:red\">hi</span>");
1501        assert!(html.contains("class=\"x\""), "class survives: {html}");
1502        assert!(!html.contains("style="), "style stripped: {html}");
1503    }
1504
1505    #[test]
1506    fn unknown_and_plain_fences_do_not_panic() {
1507        let unknown = render_markdown("```notalanguage\nx := 1\n```\n");
1508        let plain = render_markdown("```\nplain text\n```\n");
1509        assert!(
1510            unknown.contains("<pre><code"),
1511            "unknown lang block: {unknown}"
1512        );
1513        assert!(plain.contains("<pre><code"), "plain block: {plain}");
1514        assert!(
1515            unknown.contains("language-notalanguage"),
1516            "unknown lang still labelled: {unknown}"
1517        );
1518    }
1519
1520    /// Security: a hostile fence info token (e.g. `<script>alert(1)</script>`)
1521    /// must NOT appear as a live tag in the output. `wrap_code_block` HTML-escapes
1522    /// the lang token before inserting it into the class attribute value, and
1523    /// ammonia's builder only permits `class` on `<code>` — it does not allow
1524    /// arbitrary attributes or values. So a `<script>` info string is inert.
1525    ///
1526    /// Also asserts that the SAFE path — a plain `language-rust` class on
1527    /// the `<code>` element — still survives after the widened allowlist so
1528    /// the syntect token spans have a hook. This is the regression pin for
1529    /// gaps2 #36 sub-part (a).
1530    #[test]
1531    fn hostile_fence_info_string_is_escaped_and_language_class_survives() {
1532        // Hostile: info token that looks like a script injection.
1533        let hostile = render_markdown("```<script>alert(1)</script>\ncode\n```\n");
1534        assert!(
1535            !hostile.contains("<script>"),
1536            "live <script> from fence info must be stripped: {hostile}"
1537        );
1538        // The escaped form will appear inside a class value; ammonia lets
1539        // class through but the content is HTML-escaped so it is inert.
1540        assert!(
1541            hostile.contains("<pre><code"),
1542            "code block structure must survive: {hostile}"
1543        );
1544
1545        // Hostile: info token with a class-injection attempt.
1546        let class_inject = render_markdown("```evil\" onmouseover=\"alert(1)\ncode\n```\n");
1547        assert!(
1548            !class_inject.contains("onmouseover"),
1549            "event handler injected via fence info must not survive: {class_inject}"
1550        );
1551
1552        // Safe: the normal case — language-rust class must survive so
1553        // syntect hl- spans (server-side) and the md-enhance label both work.
1554        let safe = render_markdown("```rust\nfn ok() {}\n```\n");
1555        assert!(
1556            safe.contains("language-rust"),
1557            "language-rust class must survive sanitization (gaps2 #36a): {safe}"
1558        );
1559        assert!(
1560            safe.contains("class=\"hl-"),
1561            "syntect hl- token spans must survive sanitization: {safe}"
1562        );
1563    }
1564
1565    #[test]
1566    fn highlight_styles_global_emits_a_style_block() {
1567        let mut env = Environment::new();
1568        register_highlight_styles_function(&mut env);
1569        env.add_template("t", "{{ highlight_styles() }}")
1570            .expect("add template");
1571        let out = env
1572            .get_template("t")
1573            .expect("get template")
1574            .render(())
1575            .expect("render");
1576        assert!(out.starts_with("<style>"), "wraps in a style block: {out}");
1577        assert!(out.contains(".hl-"), "carries the token CSS: {out}");
1578        assert!(
1579            out.trim_end().ends_with("</style>"),
1580            "closes the style block: {out}"
1581        );
1582    }
1583}