umbral_core/templates.rs
1//! Server-side HTML rendering via minijinja.
2//!
3//! Templates live under one or more directories on disk. At boot,
4//! `App::build()` assembles an ordered search list:
5//!
6//! 1. The project-level directory configured via
7//! `AppBuilder::templates_dir` (default `./templates`).
8//! 2. Each registered plugin's `Plugin::templates_dirs()` contributions,
9//! in topological dependency order.
10//!
11//! The first directory that contains a given template name wins. This
12//! makes cross-plugin `{% extends "base.html" %}` work automatically —
13//! the extends lookup searches every directory the same way a direct
14//! render call does. Plugin A can extend `base.html` from plugin B as
15//! long as B's directory appears in the search list.
16//!
17//! When two directories both provide a template with the same name, the
18//! first-match-wins policy applies and a `tracing::warn!` is emitted at
19//! boot so the collision is visible in the log. First-match-wins across
20//! all template directories. Silently-overridden templates are a
21//! well-known footgun, so the warning is non-optional.
22//!
23//! Rendering goes through one ambient accessor, [`render`], which reads
24//! the engine the App builder published into an `OnceLock` during build.
25//!
26//! ```ignore
27//! let html = umbral::templates::render("articles_list.html", &context!(articles))?;
28//! ```
29//!
30//! ## Autoescape
31//!
32//! Any template whose name ends in `.html` or `.htm` renders with
33//! autoescape on. Text templates (`.txt`) render verbatim. The autoescape
34//! callback extension whitelist MUST stay in sync with the loader's
35//! `load_directory` filter (currently `html | htm | txt`).
36//!
37//! ## v1 scope
38//!
39//! - One project-level templates directory (default `./templates/`,
40//! relative to the binary's cwd) plus per-plugin directories.
41//! - Jinja2-compatible syntax via minijinja: `{% extends %}`, `{% block %}`,
42//! `{% if %}`, `{% for %}`, `{{ value }}`, the standard filter set.
43//! - Autoescape for any template whose name ends in `.html` or `.htm`.
44//! - Init is best-effort: if no directory exists the engine boots empty.
45//! Calls to [`render`] then return `TemplateError::Missing`.
46//!
47//! ## Deferred
48//!
49//! - Custom filters and tests registered through `Plugin::on_ready`.
50//! - Hot reload in development via `minijinja-autoreload`.
51
52use std::collections::HashSet;
53use std::future::Future;
54use std::path::{Path, PathBuf};
55use std::pin::Pin;
56use std::sync::Arc;
57use std::sync::OnceLock;
58
59use minijinja::{AutoEscape, Environment};
60use syntect::highlighting::ThemeSet;
61use syntect::html::{ClassStyle, ClassedHTMLGenerator, css_for_theme_with_class_style};
62use syntect::parsing::SyntaxSet;
63use syntect::util::LinesWithEndings;
64
65tokio::task_local! {
66 /// Per-request ambient user value, set by a session-aware layer
67 /// (typically `umbral_sessions::UserContextLayer<U>`) and read by
68 /// [`render`] to expose the current `user` in
69 /// templates. `None` means an anonymous request.
70 ///
71 /// Outside the layer's scope, `try_with` returns `Err(AccessError)`
72 /// and `render` skips the merge — explicit ctx behaviour is
73 /// preserved when no layer is installed.
74 pub static CURRENT_USER: Option<minijinja::Value>;
75
76 /// Per-request CSRF token, set by `umbral-security`'s middleware and
77 /// read by [`render`] to inject `csrf_token` / `csrf_input` into
78 /// every template, for the `{% csrf_token %}` ergonomic. Outside
79 /// the middleware's scope nothing is injected (a template that
80 /// references `{{ csrf_token }}` then renders it empty under the
81 /// engine's lenient-undefined behaviour).
82 pub static CURRENT_CSRF: Option<String>;
83
84 /// Lazy counterpart to `CURRENT_USER`: a resolver that produces the
85 /// user value on first access, memoized. Set by an auth middleware that
86 /// wants per-request laziness (resolve only if a template reads `user`).
87 pub static CURRENT_USER_LAZY: LazyUser;
88}
89
90type UserFut = Pin<Box<dyn Future<Output = minijinja::Value> + Send>>;
91type UserResolver = Arc<dyn Fn() -> UserFut + Send + Sync>;
92
93/// A lazily-resolved, per-request template `user`. The `resolver` runs at
94/// most once (guarded by the `OnceCell`); resolution happens synchronously
95/// from inside minijinja's sync render via `block_in_place`.
96///
97/// The lazy value is injected into the template context as a minijinja `Object`
98/// proxy ([`LazyUserProxy`]). Minijinja calls `get_value` on the proxy only
99/// when the template actually accesses an attribute on `user`, so requests that
100/// never render `user` skip resolution entirely.
101#[derive(Clone)]
102pub struct LazyUser {
103 cell: Arc<tokio::sync::OnceCell<minijinja::Value>>,
104 resolver: UserResolver,
105}
106
107impl LazyUser {
108 pub fn new<F, Fut>(resolver: F) -> Self
109 where
110 F: Fn() -> Fut + Send + Sync + 'static,
111 Fut: Future<Output = minijinja::Value> + Send + 'static,
112 {
113 Self {
114 cell: Arc::new(tokio::sync::OnceCell::new()),
115 resolver: Arc::new(move || Box::pin(resolver())),
116 }
117 }
118
119 /// Resolve (memoized) from a synchronous context. Requires a multi-thread
120 /// tokio runtime; on a current-thread runtime or outside any runtime it
121 /// logs and returns the anonymous value so callers fall back cleanly.
122 fn resolve_blocking(&self) -> minijinja::Value {
123 use tokio::runtime::{Handle, RuntimeFlavor};
124 let Ok(handle) = Handle::try_current() else {
125 return anonymous_user_value();
126 };
127 if handle.runtime_flavor() == RuntimeFlavor::CurrentThread {
128 tracing::warn!(
129 "umbral::templates: lazy `user` needs a multi-thread runtime; rendering anonymous"
130 );
131 return anonymous_user_value();
132 }
133 let cell = self.cell.clone();
134 let resolver = self.resolver.clone();
135 tokio::task::block_in_place(move || {
136 handle.block_on(async move { cell.get_or_init(|| resolver()).await.clone() })
137 })
138 }
139
140 /// Wrap this `LazyUser` in a minijinja `Value` proxy that resolves on
141 /// first attribute access from inside the synchronous render loop.
142 fn into_proxy_value(self) -> minijinja::Value {
143 minijinja::Value::from_object(LazyUserProxy(self))
144 }
145}
146
147/// A minijinja Object proxy that defers resolution of the user until the
148/// template actually accesses an attribute (e.g. `{{ user.is_staff }}`).
149/// Minijinja calls `get_value` for attribute access — we resolve there, not
150/// at context-merge time.
151struct LazyUserProxy(LazyUser);
152
153impl std::fmt::Debug for LazyUserProxy {
154 fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
155 f.write_str("LazyUserProxy")
156 }
157}
158
159impl std::fmt::Display for LazyUserProxy {
160 fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
161 // `{{ user }}` — resolve (memoized) and delegate to the resolved
162 // value's own Display so bare rendering is faithful. Uses the same
163 // `resolve_blocking` path as `get_value` to ensure at-most-once
164 // resolution and the same current-thread / no-runtime fallback.
165 let resolved = self.0.resolve_blocking();
166 std::fmt::Display::fmt(&resolved, f)
167 }
168}
169
170impl minijinja::value::Object for LazyUserProxy {
171 fn get_value(self: &Arc<Self>, key: &minijinja::Value) -> Option<minijinja::Value> {
172 let resolved = self.0.resolve_blocking();
173 resolved.get_item(key).ok()
174 }
175
176 fn is_true(self: &Arc<Self>) -> bool {
177 // `{% if user %}` — resolve (memoized) and delegate to the resolved
178 // value's truthiness so the proxy faithfully represents whether the
179 // resolved value is truthy. Uses the same `resolve_blocking` path as
180 // `get_value` so resolution is still at most once per request.
181 self.0.resolve_blocking().is_true()
182 }
183}
184
185/// Scope a lazy `user` resolver for the duration of `fut`.
186pub async fn with_current_user_lazy<F: Future>(lazy: LazyUser, fut: F) -> F::Output {
187 CURRENT_USER_LAZY.scope(lazy, fut).await
188}
189
190/// Run `fut` with the ambient template user value scoped to `user`
191/// for its duration. Intended for the session-aware layer in
192/// `umbral-sessions`; downstream handler code reads the value
193/// transparently through [`render`].
194pub async fn with_current_user<F: std::future::Future>(
195 user: Option<minijinja::Value>,
196 fut: F,
197) -> F::Output {
198 CURRENT_USER.scope(user, fut).await
199}
200
201/// Run `fut` with the ambient CSRF token scoped for its duration.
202/// Intended for the CSRF middleware in `umbral-security`; downstream
203/// handler code reads the value transparently through [`render`]
204/// (as `{{ csrf_token }}` / `{{ csrf_input }}`) or [`current_csrf`].
205pub async fn with_current_csrf<F: std::future::Future>(token: Option<String>, fut: F) -> F::Output {
206 CURRENT_CSRF.scope(token, fut).await
207}
208
209/// Read the ambient CSRF token, if a middleware has scoped one for
210/// this request. Non-template consumers (e.g. the admin's login form
211/// builder) use this to embed the same token the middleware minted,
212/// instead of minting their own.
213pub fn current_csrf() -> Option<String> {
214 CURRENT_CSRF.try_with(|t| t.clone()).ok().flatten()
215}
216
217/// Watched template directories captured at `init` time. Stored
218/// separately so the dev-mode render path can rebuild the environment
219/// from the same sources without re-publishing the OnceLock.
220static WATCHED_DIRS: OnceLock<Vec<PathBuf>> = OnceLock::new();
221use serde::Serialize;
222
223static ENGINE: OnceLock<Environment<'static>> = OnceLock::new();
224
225/// A plugin-contributed mutation of the template [`Environment`]: adds
226/// custom filters, functions, or globals at engine-build time
227/// (feature #67 - custom template tags/filters). Returned by
228/// `Plugin::template_registrars` and stored process-wide so the dev-mode
229/// hot-reload rebuild re-applies it.
230///
231/// It is `Fn` (not `FnOnce`) on purpose: in dev mode the engine is
232/// rebuilt on every template edit, so each registrar runs once per build.
233/// Make it owned and `'static` (no borrows of the plugin) so it survives
234/// in the [`REGISTRARS`] handle past `App::build`.
235pub type TemplateRegistrar = Box<dyn Fn(&mut Environment<'static>) + Send + Sync>;
236
237/// Plugin-contributed [`TemplateRegistrar`]s captured at `init_with` time.
238/// Stored separately from [`ENGINE`] so the dev-mode rebuild path (which
239/// goes through [`build_env`]) re-applies them without the App builder.
240static REGISTRARS: OnceLock<Vec<TemplateRegistrar>> = OnceLock::new();
241
242/// Register the built-in default 404/500 templates into an environment.
243///
244/// Called from `init` before any disk directories are scanned. The names
245/// use the `__umbral__/` prefix so they can never collide with a user's
246/// `templates/` directory (slashes aren't meaningful to the engine's name
247/// lookup — `__umbral__/default_404.html` is just a unique string key).
248///
249/// Because the user's disk directories are added after this call and
250/// first-match-wins is enforced by the `seen` set, a user who places a
251/// file named `__umbral__/default_404.html` in their own templates dir will
252/// silently replace the built-in — which is the intended escape hatch.
253/// (Callers who want a cleaner opt-out should use
254/// `App::builder().disable_default_error_pages()` instead.)
255/// gaps2 #21 — register the `img` MiniJinja filter that turns a URL
256/// into a fully-formed, performance-correct `<img>` tag.
257///
258/// Filter signature:
259/// `{{ url | img(alt="…", width=N, height=N, class="…") }}`
260///
261/// Output shape:
262/// `<img src="<url>" alt="<alt>" loading="lazy" decoding="async"
263/// width="<w>" height="<h>" class="<class>">`
264///
265/// Why this set of attributes:
266/// - `loading="lazy"` — the gap's primary ask. Browsers defer
267/// off-viewport image fetches until they're about to be needed,
268/// shrinking LCP + initial bandwidth.
269/// - `decoding="async"` — lets the browser decode the image off
270/// the main thread; prevents render-blocking decode work on
271/// slower devices.
272/// - explicit `width`/`height` (when provided) reserves layout
273/// space immediately so lazy-loading doesn't cause CLS
274/// (cumulative layout shift). Omitted if either is missing.
275/// - empty `alt=""` default is screen-reader-friendly for
276/// decorative images. Callers SHOULD pass a real `alt` for
277/// meaningful content images.
278///
279/// What's NOT included on day one (deferred to a later slice):
280/// - `srcset` for responsive resolutions — needs the on-the-fly
281/// resize handler (gap 21 Option C) before the filter knows
282/// real asset dimensions.
283/// - `<picture>` with `webp`/`avif` sources — same blocker; the
284/// transcode endpoint has to exist first.
285///
286/// Output is wrapped in `minijinja::value::Value::from_safe_string`
287/// so MiniJinja's autoescape doesn't double-escape the `<` / `>`
288/// characters — the attribute values themselves still go through
289/// `html_escape` so a hostile alt-text can't break out of the
290/// attribute quote.
291/// True when `url` is safe to place in an `<img src>`: a relative URL
292/// (no scheme) or an `http`/`https` absolute URL. Any other scheme
293/// (`javascript:`, `data:`, `vbscript:`, …) is rejected. Fails closed:
294/// a malformed scheme (embedded control chars, spaces) is also rejected.
295fn url_scheme_is_safe(url: &str) -> bool {
296 let trimmed = url.trim();
297 // A URL scheme is the run before the first ':' — but only if no
298 // '/', '?', '#' appears first (those mean a relative path/query).
299 let mut scheme_end = None;
300 for (i, c) in trimmed.char_indices() {
301 match c {
302 ':' => {
303 scheme_end = Some(i);
304 break;
305 }
306 '/' | '?' | '#' => break,
307 _ => {}
308 }
309 }
310 let Some(end) = scheme_end else {
311 return true; // no scheme → relative URL → safe
312 };
313 let scheme = &trimmed[..end];
314 // A real scheme is alpha then [a-z0-9+.-]*. Anything else is suspicious.
315 let mut chars = scheme.chars();
316 let well_formed = matches!(chars.next(), Some(c) if c.is_ascii_alphabetic())
317 && chars.all(|c| c.is_ascii_alphanumeric() || matches!(c, '+' | '.' | '-'));
318 if !well_formed {
319 return false;
320 }
321 let lower = scheme.to_ascii_lowercase();
322 lower == "http" || lower == "https"
323}
324
325fn register_img_filter(env: &mut Environment<'static>) {
326 env.add_filter(
327 "img",
328 |url: String,
329 kwargs: minijinja::value::Kwargs|
330 -> Result<minijinja::Value, minijinja::Error> {
331 let alt: String = kwargs.get::<Option<String>>("alt")?.unwrap_or_default();
332 let width: Option<i64> = kwargs.get("width")?;
333 let height: Option<i64> = kwargs.get("height")?;
334 let class: Option<String> = kwargs.get("class")?;
335 // Accept the extras even when the call doesn't pass them
336 // — kwargs.get returns Ok(None) for absent keys but
337 // .assert_all_used() at the end will catch a typo'd
338 // `alt_text` so the user gets a clear error instead of
339 // silent drop. Matches the rest of the framework's
340 // strict-input posture.
341 kwargs.assert_all_used()?;
342
343 // Defense-in-depth: never emit a `javascript:` / `data:` /
344 // other non-http(s) scheme into `src`. Not a live XSS (browsers
345 // don't run JS from `<img src>` and the value is HTML-escaped),
346 // but a hostile stored URL has no business here. A disallowed
347 // scheme neutralises to an empty src (broken image) rather than
348 // erroring the whole page on user data.
349 let url = if url_scheme_is_safe(&url) {
350 url
351 } else {
352 String::new()
353 };
354
355 let mut out = String::with_capacity(url.len() + 128);
356 out.push_str("<img src=\"");
357 html_escape_into(&mut out, &url);
358 out.push_str("\" alt=\"");
359 html_escape_into(&mut out, &alt);
360 out.push_str("\" loading=\"lazy\" decoding=\"async\"");
361 if let Some(w) = width {
362 out.push_str(" width=\"");
363 out.push_str(&w.to_string());
364 out.push('"');
365 }
366 if let Some(h) = height {
367 out.push_str(" height=\"");
368 out.push_str(&h.to_string());
369 out.push('"');
370 }
371 if let Some(c) = class {
372 if !c.is_empty() {
373 out.push_str(" class=\"");
374 html_escape_into(&mut out, &c);
375 out.push('"');
376 }
377 }
378 out.push('>');
379 Ok(minijinja::Value::from_safe_string(out))
380 },
381 );
382}
383
384/// features.md #4 — register the `markdown` filter that turns a
385/// CommonMark + GFM string into sanitized HTML.
386///
387/// Filter signature: `{{ body | markdown }}`.
388///
389/// Pipeline:
390/// 1. `pulldown-cmark` parses the input with GFM extensions on
391/// (tables, strikethrough, task lists, footnotes) and renders to
392/// HTML.
393/// 2. `ammonia` sanitizes that HTML — strips `<script>`, inline event
394/// handlers (`onerror=`, `onclick=`), `javascript:` URLs, and any
395/// tag/attribute outside its safe allowlist. This is the security
396/// boundary: user-supplied markdown (plugin bodies, usage docs,
397/// reviews) is rendered, never trusted.
398/// 3. The result is wrapped in `Value::from_safe_string` so MiniJinja's
399/// autoescape emits the generated tags as markup instead of
400/// re-escaping them into `<...>`.
401///
402/// Why sanitize after rendering rather than trusting the parser: raw
403/// HTML embedded in a markdown source (`<script>...`) passes straight
404/// through pulldown-cmark by design. ammonia is the layer that makes
405/// "render whatever the user typed" safe.
406///
407/// Deferred (separate slices): syntax highlighting on fenced code
408/// blocks (ammonia strips the `language-*` class today) and a
409/// configurable allowlist for embeds — see the gap entries.
410/// Register the global `static()` template function so templates can
411/// write `{{ static("admin/admin.css") }}` and get back a URL prefixed
412/// with the configured `static_url`.
413///
414/// `static_url` is captured into the closure when the environment is
415/// built (rather than read per-call) — the value is fixed for the
416/// process at `App::build()` time, and minijinja functions can't reach
417/// the ambient `Settings` directly. The dev-mode render path rebuilds
418/// the env per render via [`build_env`], so a `static_url` change would
419/// be picked up there too; in practice it never changes at runtime.
420///
421/// Resolution joins `static_url` and the argument with exactly one
422/// slash: a leading slash on the argument (`static("/admin/x")`) is
423/// trimmed so the result never double-slashes. With the default
424/// `static_url = "/static/"`, `static("admin/admin.css")` yields
425/// `"/static/admin/admin.css"`; with a CDN origin
426/// `static_url = "https://cdn.example.com/s/"` it yields
427/// `"https://cdn.example.com/s/admin/admin.css"`.
428fn register_static_function(env: &mut Environment<'static>, static_url: String) {
429 env.add_function("static", move |path: String| -> String {
430 // Route through the manifest-aware resolver so a `--hashed`
431 // collect makes `{{ static("css/app.css") }}` emit the
432 // content-hashed URL. The captured `static_url` is the fixed
433 // prefix; the manifest lookup is the only per-call ambient read.
434 if let Some(hashed) = crate::static_files::manifest_lookup(&path) {
435 return join_static_url(&static_url, hashed);
436 }
437 join_static_url(&static_url, &path)
438 });
439}
440
441/// Join a `static_url` prefix and an asset path with exactly one slash.
442///
443/// `static_url` is normalised to end in a slash by [`crate::settings`];
444/// the asset path may or may not lead with one, so its leading slash is
445/// trimmed before the join. With `static_url = "/static/"`,
446/// `join_static_url(.., "admin/admin.css")` yields
447/// `"/static/admin/admin.css"`.
448fn join_static_url(static_url: &str, path: &str) -> String {
449 format!("{}{}", static_url, path.trim_start_matches('/'))
450}
451
452/// Resolve an asset path against the ambient `static_url`, mirroring the
453/// `static()` template global outside a minijinja render.
454///
455/// Plugins that build their own minijinja [`Environment`] (the admin
456/// engine, for one) call this to register an equivalent `static()`
457/// function so their templates can write `{{ static("admin/admin.css") }}`
458/// and resolve through the same unified static pipeline URL as the core
459/// engine. Reads `static_url` from ambient [`crate::settings`], defaulting
460/// to `/static/` when settings aren't initialised yet (bare unit tests).
461pub fn resolve_static_url(path: &str) -> String {
462 let static_url = crate::settings::get_opt()
463 .map(|s| s.static_url.clone())
464 .unwrap_or_else(|| "/static/".to_string());
465
466 // Manifest cache-busting (hashed static-file storage): when
467 // `collectstatic --hashed` has run, a `staticfiles.json` maps the
468 // logical path the template wrote (`css/app.css`) to its
469 // content-hashed name (`css/app.<hash>.css`). Resolving to the hashed
470 // URL lets the asset carry far-future cache headers — the hash in the
471 // name changes whenever the bytes do, so a stale cache can never mask
472 // a new build. When no manifest is loaded (no `--hashed` run), the
473 // lookup misses and we serve the plain path exactly as before.
474 if let Some(hashed) = crate::static_files::manifest_lookup(path) {
475 return join_static_url(&static_url, hashed);
476 }
477
478 join_static_url(&static_url, path)
479}
480
481/// Register the global `media_url()` template function so a template can
482/// write `{{ media_url(plugin.logo) }}` and get back the public URL for a
483/// stored file/image KEY, resolved through the ambient
484/// [`crate::storage::Storage`] backend.
485///
486/// Mirrors the `static()` global ([`register_static_function`]) but for
487/// user-uploaded media instead of developer-shipped assets:
488/// `ImageField` / `FileField` serialize as the bare storage key, so
489/// `{{ media_url(plugin.logo) }}` (where `plugin.logo` is the key string)
490/// resolves to the storage backend's public URL.
491///
492/// - An empty key yields the empty string (the surrounding `{% if %}`
493/// guard skips the markup).
494/// - With no `Storage` backend registered, the raw key falls through
495/// unchanged.
496/// - A `None`/optional field serializes to null, which the template's
497/// `{% if %}` guard handles before the helper is ever called.
498fn register_media_url_function(env: &mut Environment<'static>) {
499 env.add_function("media_url", |key: String| -> String {
500 if key.is_empty() {
501 return String::new();
502 }
503 crate::storage::storage_opt()
504 .map(|s| s.url(&key))
505 .unwrap_or(key)
506 });
507}
508
509/// Register the `{{ querystring_with(current_query, key, value) }}` global
510/// (gaps/features #65 — template pagination). Rebuilds a querystring
511/// replacing one key while preserving every other parameter, the fiddly bit
512/// behind a pagination nav that has to carry `?sort=name` across every
513/// `?page=N` link. Backed by [`crate::pagination::querystring_with`] so the
514/// encode/replace logic stays in one place and is unit-tested there. The
515/// returned string has no leading `?`; the template prepends one.
516fn register_querystring_with_function(env: &mut Environment<'static>) {
517 env.add_function(
518 "querystring_with",
519 // `value` is a `minijinja::Value`, not a `String`: the nav passes
520 // `page.next_page_number` / `item.n`, which are integers, and
521 // minijinja does NOT auto-coerce an int arg into a `String`
522 // parameter — it'd raise a type error at render. Accepting `Value`
523 // and stringifying covers ints, strings, and bools uniformly.
524 |current_query: String, key: String, value: minijinja::Value| -> String {
525 crate::pagination::querystring_with(¤t_query, &key, &value.to_string())
526 },
527 );
528}
529
530fn register_markdown_filter(env: &mut Environment<'static>) {
531 env.add_filter("markdown", |input: String| -> minijinja::Value {
532 minijinja::Value::from_safe_string(render_markdown(&input))
533 });
534}
535
536/// Register the `{{ highlight_styles() }}` global: emits the generated
537/// `base16-ocean.dark` token stylesheet wrapped in a `<style>` block, for a
538/// base template to drop into `<head>` once. The CSS is a safe string
539/// (generated by syntect from a fixed theme, no user input), so it is
540/// marked safe to skip minijinja autoescape.
541fn register_highlight_styles_function(env: &mut Environment<'static>) {
542 env.add_function("highlight_styles", || -> minijinja::Value {
543 minijinja::Value::from_safe_string(format!("<style>{}</style>", highlight_css()))
544 });
545}
546
547/// features.md #67 — `{{ now() }}` / `{{ now("%Y-%m-%d") }}`. Renders the
548/// current UTC time, optionally via a chrono `strftime` format string.
549/// With no argument it emits RFC 3339 (e.g. `2026-06-13T10:30:00+00:00`).
550/// The reference built-in tag for the custom-tag surface.
551fn register_now_function(env: &mut Environment<'static>) {
552 env.add_function("now", |fmt: Option<String>| -> String {
553 let now = chrono::Utc::now();
554 match fmt {
555 Some(f) if !f.is_empty() => now.format(&f).to_string(),
556 _ => now.to_rfc3339(),
557 }
558 });
559}
560
561/// features.md #67 — `{{ price | currency }}` / `{{ price | currency("EUR") }}`.
562/// Formats a number as money: two decimals, thousands grouping, and a
563/// leading symbol for the common ISO codes (USD/EUR/GBP/JPY); an unknown
564/// code falls back to `1,234.56 CODE`. The reference built-in filter.
565fn register_currency_filter(env: &mut Environment<'static>) {
566 env.add_filter("currency", |amount: f64, code: Option<String>| -> String {
567 let code = code.unwrap_or_else(|| "USD".to_string());
568 let symbol = match code.as_str() {
569 "USD" | "AUD" | "CAD" | "NZD" => "$",
570 "EUR" => "€",
571 "GBP" => "£",
572 "JPY" | "CNY" => "¥",
573 "KES" => "KSh ",
574 _ => "",
575 };
576 // Sign goes outside the symbol: -$12.40, not $-12.40.
577 let sign = if amount < 0.0 { "-" } else { "" };
578 let body = group_thousands(amount.abs());
579 if symbol.is_empty() {
580 format!("{sign}{body} {code}")
581 } else {
582 format!("{sign}{symbol}{body}")
583 }
584 });
585}
586
587/// Format a float with two decimals and comma thousands separators on the
588/// integer part: `1234567.5 -> "1,234,567.50"`, `-12.4 -> "-12.40"`.
589fn group_thousands(amount: f64) -> String {
590 let negative = amount.is_sign_negative() && amount != 0.0;
591 let formatted = format!("{:.2}", amount.abs());
592 let (int_part, frac_part) = formatted.split_once('.').unwrap_or((&formatted, "00"));
593
594 let mut grouped = String::new();
595 let digits: Vec<char> = int_part.chars().collect();
596 for (i, ch) in digits.iter().enumerate() {
597 if i > 0 && (digits.len() - i) % 3 == 0 {
598 grouped.push(',');
599 }
600 grouped.push(*ch);
601 }
602 format!("{}{grouped}.{frac_part}", if negative { "-" } else { "" })
603}
604
605/// features.md #4 — register the `sanitize` filter: clean a string of
606/// HTML (e.g. the output of the admin's RTE widget, which stores
607/// HTML rather than markdown) down to ammonia's safe allowlist and
608/// hand it to the template as a safe string.
609///
610/// `{{ body | sanitize }}` is the display companion to the `rte`
611/// widget the way `{{ body | markdown }}` is to the `markdown` widget:
612/// the stored value is HTML, so it's sanitized — never trusted — before
613/// it reaches the page. A value tampered with via the REST write path
614/// (which doesn't go through the editor) is made safe here.
615fn register_sanitize_filter(env: &mut Environment<'static>) {
616 env.add_filter("sanitize", |input: String| -> minijinja::Value {
617 minijinja::Value::from_safe_string(sanitize_html(&input))
618 });
619}
620
621/// Clean `input` HTML down to ammonia's safe allowlist (strips
622/// `<script>`, event handlers, `javascript:` URLs, etc.). The
623/// non-markdown sibling of [`render_markdown`] — use it on stored HTML
624/// (the RTE widget's output).
625pub fn sanitize_html(input: &str) -> String {
626 ammonia::clean(input)
627}
628
629/// The class prefix syntect token spans carry (`hl-keyword`, `hl-string`,
630/// `hl-source`, …). Shared by the highlighter and the generated
631/// stylesheet so the two never drift.
632const HL_PREFIX: &str = "hl-";
633
634fn hl_class_style() -> ClassStyle {
635 ClassStyle::SpacedPrefixed { prefix: HL_PREFIX }
636}
637
638/// The bundled syntect syntax set, loaded once. The load parses a binary
639/// dump and is expensive, so it is cached for the life of the process.
640fn syntax_set() -> &'static SyntaxSet {
641 static SYNTAX_SET: OnceLock<SyntaxSet> = OnceLock::new();
642 SYNTAX_SET.get_or_init(SyntaxSet::load_defaults_newlines)
643}
644
645/// The `base16-ocean.dark` token stylesheet, generated once from syntect's
646/// bundled theme with the `hl-` class prefix. This is the single source of
647/// truth for token colors — the markdown highlighter emits matching
648/// classes. Returns `""` only if syntect cannot generate the CSS (it
649/// always can for a bundled theme), so callers never need to handle an
650/// error.
651pub fn highlight_css() -> &'static str {
652 static HIGHLIGHT_CSS: OnceLock<String> = OnceLock::new();
653 HIGHLIGHT_CSS
654 .get_or_init(|| {
655 let themes = ThemeSet::load_defaults();
656 match themes.themes.get("base16-ocean.dark") {
657 Some(theme) => {
658 css_for_theme_with_class_style(theme, hl_class_style()).unwrap_or_default()
659 }
660 None => String::new(),
661 }
662 })
663 .as_str()
664}
665
666/// Return `true` iff every character in a fence info token is safe to
667/// embed verbatim in a `class="language-…"` HTML attribute value.
668///
669/// A legitimate language token is just a word: `rust`, `c++`, `c#`,
670/// `shell`, `text/plain`, etc. It never needs `<`, `>`, `"`, `'`, `=`,
671/// backticks, or whitespace. Rejecting those characters closes the
672/// class-injection vector that would otherwise let a hostile fence like
673/// `` ```<script>alert(1)</script> `` survive ammonia's pass (ammonia
674/// allows `class` on `<code>` but does not filter the attribute VALUE).
675fn fence_lang_is_safe(lang: &str) -> bool {
676 !lang.is_empty()
677 && lang.len() <= 64
678 && lang.chars().all(|c| {
679 c.is_ascii_alphanumeric()
680 || matches!(c, '+' | '-' | '_' | '.' | '#' | '/' | '@')
681 })
682}
683
684/// Render one fenced code block to safe HTML. `lang` is the fence info
685/// token (`Some("rust")`) or `None` for an unlabelled / indented block.
686/// With a known language the body is syntect-highlighted into `hl-` token
687/// spans; otherwise — or on any highlighter error — it falls back to a
688/// plain escaped block that still carries `class="language-…"` so the
689/// `md-enhance.js` label keeps working. Never panics, never drops the
690/// user's code.
691fn highlight_code_block(lang: Option<&str>, src: &str) -> String {
692 // Validate the lang token before touching it. A hostile fence info
693 // string (e.g. `<script>alert(1)</script>`) must never land in the
694 // `class="language-…"` attribute value even after HTML-escaping,
695 // because ammonia re-parses the tree and may not re-escape `<`/`>`
696 // that appear inside attribute values of allowed elements. Treating
697 // an unsafe token as `None` produces a plain unlabelled code block
698 // (still safe and still readable) rather than a class-injection path.
699 let lang = lang.filter(|l| fence_lang_is_safe(l));
700
701 let ss = syntax_set();
702 let syntax = lang.and_then(|l| {
703 ss.find_syntax_by_token(l)
704 .or_else(|| ss.find_syntax_by_extension(l))
705 });
706 if let Some(syntax) = syntax {
707 let mut generator =
708 ClassedHTMLGenerator::new_with_class_style(syntax, ss, hl_class_style());
709 let mut ok = true;
710 for line in LinesWithEndings::from(src) {
711 if generator
712 .parse_html_for_line_which_includes_newline(line)
713 .is_err()
714 {
715 ok = false;
716 break;
717 }
718 }
719 if ok {
720 // `finalize()` returns safe `<span class="hl-…">` markup —
721 // pass it through unescaped.
722 return wrap_code_block(lang, &generator.finalize());
723 }
724 }
725 // Fallback: escape the raw text so it is inert, then wrap.
726 let mut escaped = String::with_capacity(src.len());
727 html_escape_into(&mut escaped, src);
728 wrap_code_block(lang, &escaped)
729}
730
731/// Wrap inner code HTML (token spans, or escaped plain text) in
732/// `<pre><code class="language-…">` so the md-enhance frame + language
733/// label attach. The language token is HTML-escaped before it lands in the
734/// class value (it comes straight from the fence info string).
735fn wrap_code_block(lang: Option<&str>, inner: &str) -> String {
736 let mut out = String::with_capacity(inner.len() + 48);
737 out.push_str("<pre><code");
738 if let Some(l) = lang {
739 out.push_str(" class=\"language-");
740 html_escape_into(&mut out, l);
741 out.push('"');
742 }
743 out.push('>');
744 out.push_str(inner);
745 out.push_str("</code></pre>");
746 out
747}
748
749/// Render CommonMark + GFM `input` to sanitized HTML. Pulled out of the
750/// filter closure so it's unit-testable and reusable by any future
751/// Rust-side caller (e.g. a REST endpoint that returns pre-rendered
752/// HTML).
753pub fn render_markdown(input: &str) -> String {
754 use pulldown_cmark::{CodeBlockKind, Event, Options, Parser, Tag, TagEnd, html};
755
756 let mut options = Options::empty();
757 options.insert(Options::ENABLE_TABLES);
758 options.insert(Options::ENABLE_STRIKETHROUGH);
759 options.insert(Options::ENABLE_TASKLISTS);
760 options.insert(Options::ENABLE_FOOTNOTES);
761
762 let parser = Parser::new_ext(input, options);
763
764 // Rewrite the event stream: replace each code block with a single
765 // pre-highlighted Html event. The fence info token selects the syntect
766 // syntax; everything else passes through unchanged.
767 let mut events: Vec<Event> = Vec::new();
768 let mut in_code = false;
769 let mut code_lang: Option<String> = None;
770 let mut code_buf = String::new();
771 for event in parser {
772 match event {
773 Event::Start(Tag::CodeBlock(kind)) => {
774 in_code = true;
775 code_buf.clear();
776 code_lang = match kind {
777 CodeBlockKind::Fenced(info) => {
778 info.split_whitespace().next().map(str::to_string)
779 }
780 CodeBlockKind::Indented => None,
781 };
782 }
783 Event::End(TagEnd::CodeBlock) => {
784 in_code = false;
785 let highlighted = highlight_code_block(code_lang.as_deref(), &code_buf);
786 events.push(Event::Html(highlighted.into()));
787 }
788 Event::Text(text) if in_code => code_buf.push_str(&text),
789 other => events.push(other),
790 }
791 }
792
793 let mut rendered = String::new();
794 html::push_html(&mut rendered, events.into_iter());
795
796 // Sanitize. `pre`/`code`/`span` are already default-allowed tags, so we
797 // widen the allowlist by exactly one inert attribute — `class` on those
798 // three — letting syntect's `hl-` token spans and the `language-*` label
799 // survive. style / on* handlers / javascript: URLs stay stripped: this is
800 // the whole "safely" surface. Built per call: ammonia::Builder isn't Sync
801 // (boxed attribute_filter), so it can't be a shared static without a Mutex
802 // that would serialize rendering; this costs the same as ammonia::clean.
803 let mut cleaner = ammonia::Builder::default();
804 cleaner.add_tag_attributes("pre", &["class"]);
805 cleaner.add_tag_attributes("code", &["class"]);
806 cleaner.add_tag_attributes("span", &["class"]);
807 cleaner.clean(&rendered).to_string()
808}
809
810/// Tiny HTML attribute-value escape — covers the four characters
811/// that can break out of a double-quoted attribute context.
812/// Centralised here because the framework doesn't otherwise need
813/// to ship an html_escape crate dep just for the img filter.
814fn html_escape_into(out: &mut String, s: &str) {
815 for ch in s.chars() {
816 match ch {
817 '&' => out.push_str("&"),
818 '<' => out.push_str("<"),
819 '>' => out.push_str(">"),
820 '"' => out.push_str("""),
821 '\'' => out.push_str("'"),
822 c => out.push(c),
823 }
824 }
825}
826
827fn register_default_templates(
828 env: &mut Environment<'static>,
829 seen: &mut std::collections::HashSet<String>,
830) {
831 let entries = [
832 (
833 crate::errors::DEFAULT_404_TEMPLATE_NAME,
834 crate::errors::DEFAULT_404_HTML,
835 ),
836 (
837 crate::errors::DEFAULT_500_TEMPLATE_NAME,
838 crate::errors::DEFAULT_500_HTML,
839 ),
840 ];
841 for (name, source) in entries {
842 if seen.contains(name) {
843 continue; // already provided by user — skip
844 }
845 // These are compile-time constants so they're `&'static str`; we can
846 // add them without cloning via `add_template` (non-owned variant).
847 if env.add_template(name, source).is_ok() {
848 seen.insert(name.to_string());
849 }
850 }
851}
852
853/// Publish the template engine into the process-wide ambient handle.
854///
855/// `dirs` is the ordered list of directories to search — the first
856/// entry is searched first (highest priority). Typically this is:
857/// `[app_templates_dir, plugin_a_dir, plugin_b_dir, ...]`.
858///
859/// For each directory in order, every `.html` / `.htm` / `.txt` file is
860/// registered under its path-relative-to-that-dir name. If a name was
861/// already registered by an earlier directory, the later file is skipped
862/// and a `tracing::warn!` is emitted so the collision is visible.
863///
864/// If none of the directories exist, init succeeds with an empty engine.
865/// This is the right default for binaries that don't render HTML.
866///
867/// Returns the list of template names that collided (appeared in more
868/// than one directory). The caller (`App::build`) logs these via tracing.
869/// Tests can inspect the returned list to assert collision detection
870/// without needing a tracing subscriber.
871pub fn init(dirs: &[PathBuf]) -> Result<Vec<String>, TemplateError> {
872 let (env, collisions) = build_env(dirs)?;
873
874 for name in &collisions {
875 tracing::warn!(
876 template = %name,
877 "umbral templates: template `{name}` is provided by multiple directories; \
878 the first-registered copy wins"
879 );
880 }
881
882 // Stash the dirs so the dev-mode render path can rebuild the env
883 // on demand without re-running the (more expensive) init flow.
884 let _ = WATCHED_DIRS.set(dirs.to_vec());
885
886 ENGINE
887 .set(env)
888 .map_err(|_| TemplateError::AlreadyInitialised)?;
889 Ok(collisions)
890}
891
892/// Like [`init`], but also installs plugin-contributed
893/// [`TemplateRegistrar`]s (feature #67). The registrars are stashed in
894/// the process-wide [`REGISTRARS`] handle *before* the engine is built so
895/// [`build_env`] applies them — both here and on every dev-mode rebuild.
896///
897/// Called by `App::build` with the flattened registrars from every
898/// plugin's `template_registrars()`, in topological order. The plain
899/// [`init`] stays the no-plugin entry point used by template unit tests.
900pub fn init_with(
901 dirs: &[PathBuf],
902 registrars: Vec<TemplateRegistrar>,
903) -> Result<Vec<String>, TemplateError> {
904 // Set even when empty so a second (errant) init can't smuggle in a
905 // different registrar set behind the already-published engine.
906 let _ = REGISTRARS.set(registrars);
907 init(dirs)
908}
909
910/// Build a fresh `Environment` from the given dirs. Shared by the
911/// init path and the dev-mode hot-reload path; both produce
912/// bit-identical engines from the same input.
913fn build_env(dirs: &[PathBuf]) -> Result<(Environment<'static>, Vec<String>), TemplateError> {
914 let mut env = Environment::new();
915 // Autoescape extensions MUST stay in sync with the loader
916 // whitelist in `load_directory` (currently `html | htm | txt`).
917 // If you add `.svg` or `.xml` to the loader, add them HERE too
918 // — `.svg` carries inline-script XSS risk and `.xml` is generally
919 // parsed by something downstream that wants attribute escaping.
920 // `.txt` stays `None` because plaintext rendering shouldn't HTML-
921 // escape (would replace `<` with `<` in plain email bodies).
922 env.set_auto_escape_callback(|name| {
923 if name.ends_with(".html") || name.ends_with(".htm") {
924 AutoEscape::Html
925 } else {
926 AutoEscape::None
927 }
928 });
929
930 // gaps2 #21 — register the `img` filter for ergonomic, perf-
931 // forward image markup. `{{ url | img(alt="...", width=400,
932 // height=300) }}` expands to a fully-formed `<img>` with the
933 // hat-trick that catches LCP regressions out of the box:
934 // `loading="lazy"`, `decoding="async"`, explicit `width`/
935 // `height` to reserve layout space (no CLS), and an `alt`
936 // attribute that's empty rather than omitted (screen-reader-
937 // friendly default for purely decorative images). Optional
938 // `class="..."` flows through for Tailwind / scoped styling.
939 register_img_filter(&mut env);
940
941 // `{{ highlight_styles() }}` — the syntect token stylesheet for
942 // server-highlighted code, emitted once into <head> by a base template.
943 register_highlight_styles_function(&mut env);
944
945 // Unified static pipeline — `{{ static("admin/admin.css") }}`
946 // expands to `<static_url>admin/admin.css`. The `static_url` is read
947 // from ambient settings (defaulting to `/static/` when settings
948 // aren't initialised yet, e.g. in a bare template unit test) and
949 // captured into the function closure. See `register_static_function`.
950 let static_url = crate::settings::get_opt()
951 .map(|s| s.static_url.clone())
952 .unwrap_or_else(|| "/static/".to_string());
953 register_static_function(&mut env, static_url);
954
955 // `{{ media_url(plugin.logo) }}` resolves a stored file/image KEY
956 // through the ambient Storage backend's `url()`, the media-side
957 // companion to `static()`. ImageField/FileField serialize as the
958 // bare key; this turns it into the public URL. See
959 // `register_media_url_function`.
960 register_media_url_function(&mut env);
961
962 // features.md #4 — `{{ body | markdown }}` renders user-supplied
963 // CommonMark/GFM to sanitized HTML. The reusable "safely show a
964 // body/usage field" surface shared by the admin and end-user
965 // templates; pairs with `#[umbral(widget = "markdown")]` on the
966 // model field that captures the source.
967 register_markdown_filter(&mut env);
968
969 // features.md #4 — `{{ html | sanitize }}` cleans stored HTML (the
970 // `rte` admin widget's output) to a safe allowlist. The HTML-side
971 // companion to the markdown filter.
972 register_sanitize_filter(&mut env);
973
974 // gaps2 #19 follow-up — render `None` / `Undefined` as the
975 // empty string instead of the literal "none" / "undefined" tokens
976 // MiniJinja defaults to. Bug screenshot 2026-06-10 01-08-30: an
977 // `Option<String>` model field with `value=None` rendered into
978 // `<input value="{{ form.phone }}">` produced `value="none"` on a
979 // fresh form, which the user then has to manually clear before
980 // typing. Every form with optional fields hit this footgun.
981 //
982 // Defining a custom formatter is the framework-level fix — every
983 // template (admin, shop, plugins) inherits the new behaviour
984 // automatically. Non-null/non-undefined values pass through the
985 // default formatter unchanged so HTML escaping, number / bool /
986 // string rendering, and safe-string handling stay identical.
987 env.set_formatter(|out, state, value| {
988 if value.is_none() || value.is_undefined() {
989 return Ok(());
990 }
991 minijinja::escape_formatter(out, state, value)
992 });
993
994 // features.md #67 — built-in example tags/filters. These ship as the
995 // reference implementations for the custom-tag surface: `now()` for a
996 // server-rendered timestamp, `currency` for money formatting. Plugins
997 // add their own via `Plugin::template_registrars` (applied below).
998 register_now_function(&mut env);
999 register_currency_filter(&mut env);
1000
1001 // features #65 — `{{ querystring_with(base_query, "page", item.n) }}`
1002 // rebuilds the current querystring replacing one key, so the bundled
1003 // `_pagination.html` nav carries `?sort=...` filters across every
1004 // `?page=N` link. See `register_querystring_with_function`.
1005 register_querystring_with_function(&mut env);
1006
1007 // features.md #67 — plugin-contributed filters/functions. Applied
1008 // AFTER the built-ins so a plugin can deliberately override one by
1009 // re-registering the same name (minijinja's add_* overwrites). Runs
1010 // on every rebuild (dev hot-reload) because `Fn`, not `FnOnce`.
1011 if let Some(registrars) = REGISTRARS.get() {
1012 for registrar in registrars {
1013 registrar(&mut env);
1014 }
1015 }
1016
1017 let mut seen: HashSet<String> = HashSet::new();
1018 let mut collisions: Vec<String> = Vec::new();
1019
1020 // Register the built-in default error templates before scanning disk
1021 // directories. Because disk directories are first-match-wins and are
1022 // scanned after this call, a user template with the same name (unlikely,
1023 // since the `__umbral__/` prefix is reserved) would silently replace the
1024 // built-in. Callers who want a clean opt-out should use
1025 // `App::builder().disable_default_error_pages()`.
1026 register_default_templates(&mut env, &mut seen);
1027
1028 for dir in dirs {
1029 if dir.exists() {
1030 load_directory(&mut env, dir, dir, &mut seen, &mut collisions)?;
1031 }
1032 }
1033
1034 Ok((env, collisions))
1035}
1036
1037/// Render a template by name with a serde-serializable context value.
1038///
1039/// The name is the path relative to its templates directory, with
1040/// forward slashes regardless of host OS. `articles_list.html`,
1041/// `admin/base.html`, etc.
1042///
1043/// Returns `TemplateError::NotInitialised` if `App::build()` hasn't
1044/// run yet, `TemplateError::Missing` if the name doesn't match a
1045/// loaded template, and `TemplateError::Render` for any minijinja-
1046/// reported issue (syntax error, missing variable when strict undefined
1047/// is on, etc.).
1048pub fn render<C: Serialize>(name: &str, ctx: &C) -> Result<String, TemplateError> {
1049 // Dev-mode hot reload: when settings.environment == Dev, rebuild
1050 // the environment from disk on every render so template edits are
1051 // picked up without a server restart. This makes the dev loop —
1052 // edit `home.html`, hit reload, see the change — work without
1053 // `cargo run`-ing again. Production stays on the cached engine
1054 // for the fast path.
1055 //
1056 // Cost: one disk walk + minijinja parse per render in dev. For a
1057 // typical handler doing one render per request at ~10 RPS during
1058 // development, that's negligible. We chose this over per-file
1059 // stat checks because the per-render rebuild is dependency-free
1060 // and the staleness window is zero (a save followed instantly
1061 // by a reload always sees the new content).
1062 if dev_mode_active() {
1063 if let Some(dirs) = WATCHED_DIRS.get() {
1064 // Rebuild fresh; ignore collisions log here (init already
1065 // logged them once; we don't spam every render).
1066 match build_env(dirs) {
1067 Ok((env, _collisions)) => return render_with(&env, name, ctx),
1068 Err(e) => return Err(e),
1069 }
1070 }
1071 }
1072
1073 let env = ENGINE.get().ok_or(TemplateError::NotInitialised)?;
1074 render_with(env, name, ctx)
1075}
1076
1077/// Render an inline template source through the ambient-context path.
1078/// Test/bench helper only.
1079#[doc(hidden)]
1080pub fn render_str<C: Serialize>(src: &str, ctx: &C) -> Result<String, TemplateError> {
1081 let mut env = minijinja::Environment::new();
1082 env.add_template("__inline", src)
1083 .map_err(TemplateError::Render)?;
1084 render_with(&env, "__inline", ctx)
1085}
1086
1087/// True when the ambient settings say we're in Dev. Returns false if
1088/// settings haven't been initialised (production-style binaries that
1089/// never went through `App::build()`).
1090fn dev_mode_active() -> bool {
1091 crate::settings::get_opt()
1092 .map(|s| matches!(s.environment, crate::settings::Environment::Dev))
1093 .unwrap_or(false)
1094}
1095
1096/// Render a named template against the given env. Extracted so dev-mode
1097/// (fresh env per render) and prod (cached env) share one error mapping.
1098fn render_with<C: Serialize>(
1099 env: &Environment<'_>,
1100 name: &str,
1101 ctx: &C,
1102) -> Result<String, TemplateError> {
1103 let tmpl = env.get_template(name).map_err(|e| match e.kind() {
1104 minijinja::ErrorKind::TemplateNotFound => TemplateError::Missing(name.to_string()),
1105 _ => TemplateError::Render(e),
1106 })?;
1107 let merged = merge_ambient_context(ctx);
1108 tmpl.render(&merged).map_err(TemplateError::Render)
1109}
1110
1111/// Merge the ambient task-locals into a serializable template context:
1112/// `user` (from `CURRENT_USER`) and the CSRF pair `csrf_token` /
1113/// `csrf_input` (from `CURRENT_CSRF`). The handler's own keys always
1114/// win — the ambient injection is the default, not an override.
1115///
1116/// `user` is injected unconditionally (anonymous fallback below);
1117/// the CSRF pair only when a middleware actually scoped a token —
1118/// there is no meaningful fallback token, and rendering an empty
1119/// hidden input would make a form post a guaranteed-403 silently.
1120///
1121/// Most code should use [`render`], which calls this automatically.
1122/// Plugins that own a private MiniJinja environment can call this before
1123/// `Template::render` to get the same `{{ user }}`, `{{ csrf_token }}`,
1124/// and `{{ csrf_input }}` semantics as the framework renderer.
1125pub fn merge_ambient_context<C: Serialize>(ctx: &C) -> minijinja::Value {
1126 let ctx_value = minijinja::Value::from_serialize(ctx);
1127 merge_ambient_value(ctx_value)
1128}
1129
1130/// Same as [`merge_ambient_context`], but accepts an already-built
1131/// MiniJinja [`Value`](minijinja::Value). This is useful for private
1132/// plugin renderers that build context with `minijinja::context!`.
1133pub fn merge_ambient_value(ctx_value: minijinja::Value) -> minijinja::Value {
1134 let has = |key: &str| {
1135 ctx_value
1136 .get_attr(key)
1137 .map(|v| !v.is_undefined())
1138 .unwrap_or(false)
1139 };
1140
1141 let need_user = !has("user");
1142 let csrf = current_csrf();
1143 let need_csrf = csrf.is_some() && !(has("csrf_token") && has("csrf_input"));
1144
1145 if !need_user && !need_csrf {
1146 return ctx_value;
1147 }
1148
1149 // Build a fresh object that contains every original key plus the
1150 // ambient ones. minijinja's `Value::from_iter` over (key, value)
1151 // pairs produces a Map value; we walk the original keys and add
1152 // ours last.
1153 let mut pairs: Vec<(String, minijinja::Value)> = Vec::new();
1154 if let Ok(keys) = ctx_value.try_iter() {
1155 for key in keys {
1156 let key_str = key.to_string();
1157 if let Ok(v) = ctx_value.get_item(&key) {
1158 pairs.push((key_str, v));
1159 }
1160 }
1161 }
1162
1163 if need_user {
1164 // Resolve which `user` value should land in the rendered ctx:
1165 // 1. Task-local set by a middleware (AuthPlugin's
1166 // `user_context_layer`) — the live request shape.
1167 // 2. Anonymous fallback `{ is_authenticated: false }` for
1168 // callers WITHOUT a layer mounted AND for renders that
1169 // happen outside the middleware's scope (notably the
1170 // `render_500_middleware` recovery path — the
1171 // user-context task-local has already dropped by the time
1172 // the error layer renders, but the 500 template still
1173 // needs `user.is_authenticated` to evaluate cleanly).
1174 //
1175 // The fallback is the same shape `serialize_anonymous` would
1176 // produce, kept in core so umbral-auth isn't a dependency of
1177 // the templates module.
1178 // Prefer the lazy channel (proxy defers resolution until attribute access),
1179 // then the eager task-local, then the anonymous fallback.
1180 let user_value = if let Ok(lazy) = CURRENT_USER_LAZY.try_with(|lazy| lazy.clone()) {
1181 lazy.into_proxy_value()
1182 } else if let Some(v) = CURRENT_USER.try_with(|u| u.clone()).ok().flatten() {
1183 v
1184 } else {
1185 anonymous_user_value()
1186 };
1187 pairs.push(("user".to_string(), user_value));
1188 }
1189
1190 if let Some(token) = csrf {
1191 if !has("csrf_token") {
1192 pairs.push((
1193 "csrf_token".to_string(),
1194 minijinja::Value::from(token.clone()),
1195 ));
1196 }
1197 if !has("csrf_input") {
1198 // Today's tokens are hex (signed mode adds `.` + hex sig),
1199 // so the escape is belt-and-braces against a future
1200 // token-shape change — not a live attack surface.
1201 let escaped = token
1202 .replace('&', "&")
1203 .replace('"', """)
1204 .replace('<', "<")
1205 .replace('>', ">");
1206 pairs.push((
1207 "csrf_input".to_string(),
1208 minijinja::Value::from_safe_string(format!(
1209 r#"<input type="hidden" name="csrf_token" value="{escaped}">"#
1210 )),
1211 ));
1212 }
1213 }
1214
1215 minijinja::Value::from_iter(pairs)
1216}
1217
1218/// Anonymous-user sentinel — the value `user` resolves to in
1219/// templates rendered outside an authenticated context (no auth
1220/// middleware, anonymous request, or the 500-rendering path
1221/// where the middleware's task-local has already dropped).
1222/// Carries only `{ is_authenticated: false }` — enough for
1223/// `{% if user.is_authenticated %}` / `{% if user.is_staff %}`
1224/// to evaluate to false without `umbral templates: undefined
1225/// value` errors that would otherwise mask the original failure.
1226fn anonymous_user_value() -> minijinja::Value {
1227 let mut map = serde_json::Map::new();
1228 map.insert(
1229 "is_authenticated".to_string(),
1230 serde_json::Value::Bool(false),
1231 );
1232 // is_staff / is_superuser default to false too so a template
1233 // gating on either doesn't accidentally render the privileged
1234 // branch when `user` is the anonymous fallback.
1235 map.insert("is_staff".to_string(), serde_json::Value::Bool(false));
1236 map.insert("is_superuser".to_string(), serde_json::Value::Bool(false));
1237 minijinja::Value::from_serialize(serde_json::Value::Object(map))
1238}
1239
1240/// Walk a directory recursively and register every `.html` / `.htm` /
1241/// `.txt` file as a template under its path-relative-to-root name.
1242/// Subdirectories are reachable via forward-slash names: `admin/base.html`.
1243///
1244/// `seen` tracks which names have already been registered across all
1245/// directories. When a name collision is detected (a later directory
1246/// ships a template with the same relative name as an earlier one),
1247/// the duplicate is skipped and the name is appended to `collisions`.
1248/// First-match-wins.
1249fn load_directory(
1250 env: &mut Environment<'static>,
1251 root: &Path,
1252 dir: &Path,
1253 seen: &mut HashSet<String>,
1254 collisions: &mut Vec<String>,
1255) -> Result<(), TemplateError> {
1256 for entry in std::fs::read_dir(dir)? {
1257 let entry = entry?;
1258 let path = entry.path();
1259 if path.is_dir() {
1260 load_directory(env, root, &path, seen, collisions)?;
1261 continue;
1262 }
1263 let Some(ext) = path.extension().and_then(|e| e.to_str()) else {
1264 continue;
1265 };
1266 if !matches!(ext, "html" | "htm" | "txt") {
1267 continue;
1268 }
1269 let rel: PathBuf = path
1270 .strip_prefix(root)
1271 .expect("walked path is rooted at the templates dir")
1272 .to_path_buf();
1273 // minijinja template names are forward-slashed regardless of OS;
1274 // the path display would emit `\` on Windows, so build the name
1275 // explicitly.
1276 let name: String = rel
1277 .components()
1278 .map(|c| c.as_os_str().to_string_lossy().to_string())
1279 .collect::<Vec<_>>()
1280 .join("/");
1281
1282 if seen.contains(&name) {
1283 // Collision: a higher-priority directory already registered
1284 // this name. Record it and skip; init will log after all
1285 // dirs are processed.
1286 if !collisions.contains(&name) {
1287 collisions.push(name.clone());
1288 }
1289 continue;
1290 }
1291
1292 let source = std::fs::read_to_string(&path)?;
1293 env.add_template_owned(name.clone(), source)
1294 .map_err(TemplateError::Render)?;
1295 seen.insert(name);
1296 }
1297 Ok(())
1298}
1299
1300/// Errors the template engine can produce. Narrow at v1: load-time IO,
1301/// engine-not-ready, missing template, render-time minijinja error.
1302#[derive(Debug)]
1303pub enum TemplateError {
1304 /// `App::build()` hasn't run yet, so the ambient engine isn't set.
1305 NotInitialised,
1306 /// `init` was called twice — a programming error in the framework
1307 /// itself, not the user. Surfaced as a `BuildError` if it ever fires.
1308 AlreadyInitialised,
1309 /// IO error reading a template file at boot.
1310 Io(std::io::Error),
1311 /// The requested template name isn't loaded.
1312 Missing(String),
1313 /// Any other minijinja error (syntax, render-time, etc.). The
1314 /// inner `minijinja::Error` carries the diagnostic (line / col /
1315 /// undefined name) so the caller can pass it through `Display`.
1316 Render(minijinja::Error),
1317}
1318
1319impl std::fmt::Display for TemplateError {
1320 fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
1321 match self {
1322 TemplateError::NotInitialised => write!(
1323 f,
1324 "umbral templates: engine not initialised — call App::build() first"
1325 ),
1326 TemplateError::AlreadyInitialised => {
1327 write!(f, "umbral templates: init called more than once")
1328 }
1329 TemplateError::Io(e) => write!(f, "umbral templates: io: {e}"),
1330 TemplateError::Missing(name) => write!(
1331 f,
1332 "umbral templates: no template named `{name}`; check the templates directory"
1333 ),
1334 TemplateError::Render(e) => write!(f, "umbral templates: {e}"),
1335 }
1336 }
1337}
1338
1339impl std::error::Error for TemplateError {}
1340
1341impl From<std::io::Error> for TemplateError {
1342 fn from(e: std::io::Error) -> Self {
1343 Self::Io(e)
1344 }
1345}
1346
1347#[cfg(test)]
1348mod tests {
1349 use super::*;
1350 use serde_json::json;
1351
1352 #[test]
1353 fn img_url_scheme_safety() {
1354 // Relative + http(s) are allowed.
1355 assert!(url_scheme_is_safe("/media/cat.png"));
1356 assert!(url_scheme_is_safe("cat.png"));
1357 assert!(url_scheme_is_safe("../up/cat.png"));
1358 assert!(url_scheme_is_safe("http://example.com/cat.png"));
1359 assert!(url_scheme_is_safe("https://example.com/cat.png"));
1360 assert!(url_scheme_is_safe("HTTPS://EXAMPLE.com/cat.png"));
1361 assert!(url_scheme_is_safe("?query=only"));
1362 assert!(url_scheme_is_safe("#fragment"));
1363 // Dangerous / non-http schemes are rejected.
1364 assert!(!url_scheme_is_safe("javascript:alert(1)"));
1365 assert!(!url_scheme_is_safe(" javascript:alert(1)"));
1366 assert!(!url_scheme_is_safe("JaVaScRiPt:alert(1)"));
1367 assert!(!url_scheme_is_safe(
1368 "data:text/html,<script>alert(1)</script>"
1369 ));
1370 assert!(!url_scheme_is_safe("vbscript:msgbox(1)"));
1371 assert!(!url_scheme_is_safe("mailto:a@b.com"));
1372 // Malformed scheme (embedded control char) fails closed.
1373 assert!(!url_scheme_is_safe("java\u{0}script:alert(1)"));
1374 }
1375
1376 #[test]
1377 fn img_filter_neutralises_javascript_url() {
1378 let mut env = minijinja::Environment::new();
1379 register_img_filter(&mut env);
1380 env.add_template("t", "{{ url | img }}").unwrap();
1381 let tmpl = env.get_template("t").unwrap();
1382 let out = tmpl
1383 .render(minijinja::context! { url => "javascript:alert(1)" })
1384 .unwrap();
1385 assert!(
1386 !out.contains("javascript:"),
1387 "javascript: URL must be neutralised; got {out}"
1388 );
1389 assert!(out.contains("src=\"\""), "expected empty src; got {out}");
1390 }
1391
1392 #[test]
1393 fn nested_template_names_are_relative_to_templates_root() {
1394 let tmp = tempfile::tempdir().expect("create temp dir");
1395 let templates = tmp.path().join("templates");
1396 std::fs::create_dir_all(templates.join("base")).expect("create base template dir");
1397 std::fs::create_dir_all(templates.join("content")).expect("create content template dir");
1398
1399 std::fs::write(
1400 templates.join("base").join("site.html"),
1401 "<main>{% block content %}{% endblock %}</main>",
1402 )
1403 .expect("write nested base template");
1404 std::fs::write(
1405 templates.join("content").join("contact.html"),
1406 r#"{% extends "base/site.html" %}{% block content %}<h1>{{ title }}</h1><p>Contact from nested content.</p>{% endblock %}"#,
1407 )
1408 .expect("write nested content template");
1409
1410 let (env, collisions) = build_env(&[templates]).expect("build template env");
1411 assert!(collisions.is_empty());
1412
1413 let rendered = render_with(
1414 &env,
1415 "content/contact.html",
1416 &json!({ "title": "Nested contact" }),
1417 )
1418 .expect("render nested template by relative name");
1419
1420 assert!(rendered.contains("<main>"));
1421 assert!(rendered.contains("<h1>Nested contact</h1>"));
1422 assert!(rendered.contains("Contact from nested content."));
1423 }
1424
1425 /// Render `{{ static(arg) }}` against an env whose `static()` was
1426 /// registered with the given `static_url`. Exercises the helper
1427 /// directly without needing the ambient `Settings` OnceLock (which
1428 /// can't be set under cargo's parallel test runner).
1429 fn render_static(static_url: &str, arg: &str) -> String {
1430 let mut env = Environment::new();
1431 register_static_function(&mut env, static_url.to_string());
1432 env.add_template("t.txt", "{{ static(arg) }}")
1433 .expect("add template");
1434 let tmpl = env.get_template("t.txt").expect("get template");
1435 tmpl.render(json!({ "arg": arg })).expect("render")
1436 }
1437
1438 #[test]
1439 fn static_helper_prepends_root_relative_url() {
1440 assert_eq!(
1441 render_static("/static/", "admin/admin.css"),
1442 "/static/admin/admin.css"
1443 );
1444 }
1445
1446 #[test]
1447 fn static_helper_prepends_cdn_origin() {
1448 assert_eq!(
1449 render_static("https://cdn.example.com/s/", "admin/admin.css"),
1450 "https://cdn.example.com/s/admin/admin.css"
1451 );
1452 }
1453
1454 #[test]
1455 fn static_helper_does_not_double_slash_on_leading_slash_arg() {
1456 assert_eq!(render_static("/static/", "/admin/x"), "/static/admin/x");
1457 }
1458
1459 #[test]
1460 fn highlight_css_contains_hl_rules() {
1461 let css = highlight_css();
1462 assert!(!css.is_empty(), "generated theme CSS should not be empty");
1463 assert!(
1464 css.contains(".hl-"),
1465 "theme CSS must target hl- classes: {css}"
1466 );
1467 }
1468
1469 #[test]
1470 fn fenced_rust_block_gets_syntect_token_spans() {
1471 let html = render_markdown("```rust\nfn main() {}\n```\n");
1472 assert!(
1473 html.contains("language-rust"),
1474 "keeps the language class for the md-enhance label: {html}"
1475 );
1476 assert!(
1477 html.contains("class=\"hl-"),
1478 "emits syntect hl- token spans: {html}"
1479 );
1480 }
1481
1482 #[test]
1483 fn script_in_code_fence_is_escaped_not_executed() {
1484 let html = render_markdown("```\n<script>alert(1)</script>\n```\n");
1485 assert!(!html.contains("<script>"), "no live script tag: {html}");
1486 assert!(
1487 html.contains("<script>"),
1488 "rendered as inert text: {html}"
1489 );
1490 }
1491
1492 #[test]
1493 fn prose_script_is_still_stripped() {
1494 let html = render_markdown("hello <script>alert(1)</script> world");
1495 assert!(!html.contains("<script>"), "prose script stripped: {html}");
1496 }
1497
1498 #[test]
1499 fn markdown_allows_class_but_not_style() {
1500 let html = render_markdown("<span class=\"x\" style=\"color:red\">hi</span>");
1501 assert!(html.contains("class=\"x\""), "class survives: {html}");
1502 assert!(!html.contains("style="), "style stripped: {html}");
1503 }
1504
1505 #[test]
1506 fn unknown_and_plain_fences_do_not_panic() {
1507 let unknown = render_markdown("```notalanguage\nx := 1\n```\n");
1508 let plain = render_markdown("```\nplain text\n```\n");
1509 assert!(
1510 unknown.contains("<pre><code"),
1511 "unknown lang block: {unknown}"
1512 );
1513 assert!(plain.contains("<pre><code"), "plain block: {plain}");
1514 assert!(
1515 unknown.contains("language-notalanguage"),
1516 "unknown lang still labelled: {unknown}"
1517 );
1518 }
1519
1520 /// Security: a hostile fence info token (e.g. `<script>alert(1)</script>`)
1521 /// must NOT appear as a live tag in the output. `wrap_code_block` HTML-escapes
1522 /// the lang token before inserting it into the class attribute value, and
1523 /// ammonia's builder only permits `class` on `<code>` — it does not allow
1524 /// arbitrary attributes or values. So a `<script>` info string is inert.
1525 ///
1526 /// Also asserts that the SAFE path — a plain `language-rust` class on
1527 /// the `<code>` element — still survives after the widened allowlist so
1528 /// the syntect token spans have a hook. This is the regression pin for
1529 /// gaps2 #36 sub-part (a).
1530 #[test]
1531 fn hostile_fence_info_string_is_escaped_and_language_class_survives() {
1532 // Hostile: info token that looks like a script injection.
1533 let hostile = render_markdown("```<script>alert(1)</script>\ncode\n```\n");
1534 assert!(
1535 !hostile.contains("<script>"),
1536 "live <script> from fence info must be stripped: {hostile}"
1537 );
1538 // The escaped form will appear inside a class value; ammonia lets
1539 // class through but the content is HTML-escaped so it is inert.
1540 assert!(
1541 hostile.contains("<pre><code"),
1542 "code block structure must survive: {hostile}"
1543 );
1544
1545 // Hostile: info token with a class-injection attempt.
1546 let class_inject = render_markdown("```evil\" onmouseover=\"alert(1)\ncode\n```\n");
1547 assert!(
1548 !class_inject.contains("onmouseover"),
1549 "event handler injected via fence info must not survive: {class_inject}"
1550 );
1551
1552 // Safe: the normal case — language-rust class must survive so
1553 // syntect hl- spans (server-side) and the md-enhance label both work.
1554 let safe = render_markdown("```rust\nfn ok() {}\n```\n");
1555 assert!(
1556 safe.contains("language-rust"),
1557 "language-rust class must survive sanitization (gaps2 #36a): {safe}"
1558 );
1559 assert!(
1560 safe.contains("class=\"hl-"),
1561 "syntect hl- token spans must survive sanitization: {safe}"
1562 );
1563 }
1564
1565 #[test]
1566 fn highlight_styles_global_emits_a_style_block() {
1567 let mut env = Environment::new();
1568 register_highlight_styles_function(&mut env);
1569 env.add_template("t", "{{ highlight_styles() }}")
1570 .expect("add template");
1571 let out = env
1572 .get_template("t")
1573 .expect("get template")
1574 .render(())
1575 .expect("render");
1576 assert!(out.starts_with("<style>"), "wraps in a style block: {out}");
1577 assert!(out.contains(".hl-"), "carries the token CSS: {out}");
1578 assert!(
1579 out.trim_end().ends_with("</style>"),
1580 "closes the style block: {out}"
1581 );
1582 }
1583}