Backport writer field fix from 3.6.0

#3512 #3887 #3922 #3899
getkirby · Nov 13, 2021 · f64364a · f64364a
1 parent c77ccb8
commit f64364a
Show file tree

Hide file tree

Showing 15 changed files with 3,174 additions and 6 deletions.
diff --git a/config/fields/writer.php b/config/fields/writer.php
@@ -1,5 1,7 @@
 <?php
 
 use Kirby\Sane\Html;
 
 return [
  'props' => [
  /**
@@ -27,7 29,7 @@
  ],
  'computed' => [
  'value' => function () {
- return trim($this->value);
  return Html::sanitize(trim($this->value));
  }
  ],
 ];
diff --git a/panel/dist/js/app.js b/panel/dist/js/app.js
diff --git a/panel/src/components/Writer/Writer.vue b/panel/src/components/Writer/Writer.vue
@@ -106,6 106,7 @@ export default {
  data() {
  return {
  editor: null,
  json: {},
  html: this.value,
  isEmpty: true,
  toolbar: false
@@ -140,7 141,16 @@ export default {
  }
  },
  update: (payload) => {
- this.html = payload.editor.getHTML();
  // compare documents to avoid minor HTML differences
  // to cause unwanted updates
  const jsonNew = JSON.stringify(this.editor.getJSON());
  const jsonOld = JSON.stringify(this.json);
 
  if (jsonNew === jsonOld) {
  return;
  }
 
  this.json = jsonNew;
  this.isEmpty = payload.editor.isEmpty();
 
  // when a new list item or heading is created, textContent length returns 0
@@ -156,6 166,9 @@ export default {
  this.html = "";
  }
 
  // create the final HTML to send to the server
  this.html = payload.editor.getHTML();
 
  this.$emit("input", this.html);
  }
  },
@@ -172,6 185,7 @@ export default {
  });
 
  this.isEmpty = this.editor.isEmpty();
  this.json = this.editor.getJSON();
  },
  beforeDestroy() {
  this.editor.destroy();

diff --git a/panel/vite.config.custom.js b/panel/vite.config.custom.js
@@ -0,0 1,11 @@
 const fs = require("fs");
 
 process.env.VUE_APP_DEV_SERVER = "https://sandbox.kirby.test";
 
 module.exports = {
  host: "sandbox.kirby.test",
  https: {
  key: fs.readFileSync('/Users/luX/Library/Application Support/Caddy/certificates/local/sandbox.kirby.test/sandbox.kirby.test.key'),
  cert: fs.readFileSync('/Users/luX/Library/Application Support/Caddy/certificates/local/sandbox.kirby.test/sandbox.kirby.test.crt')
  }
 };
diff --git a/src/Sane/DomHandler.php b/src/Sane/DomHandler.php
@@ -0,0 1,165 @@
 <?php
 
 namespace Kirby\Sane;
 
 use DOMAttr;
 use DOMDocumentType;
 use DOMElement;
 use Kirby\Toolkit\Dom;
 
 /**
  * Base class for Sane handlers with DOM file types
  * @since 3.5.8
  *
  * @package Kirby Sane
  * @author Lukas Bestle <[email protected]>
  * @link https://getkirby.com
  * @copyright Bastian Allgeier GmbH
  * @license https://opensource.org/licenses/MIT
  */
 class DomHandler extends Handler
 {
  /**
  * List of all MIME types that may
  * be used in data URIs
  *
  * @var array
  */
  public static $allowedDataUris = [
  'data:image/png',
  'data:image/gif',
  'data:image/jpg',
  'data:image/jpe',
  'data:image/pjp',
  'data:img/png',
  'data:img/gif',
  'data:img/jpg',
  'data:img/jpe',
  'data:img/pjp',
  ];
 
  /**
  * Allowed hostnames for HTTP(S) URLs
  *
  * @var array
  */
  public static $allowedDomains = [];
 
  /**
  * Names of allowed XML processing instructions
  *
  * @var array
  */
  public static $allowedPIs = [];
 
  /**
  * The document type (`'HTML'` or `'XML'`)
  * (to be set in child classes)
  *
  * @var string
  */
  protected static $type = 'XML';
 
  /**
  * Sanitizes the given string
  *
  * @param string $string
  * @return string
  *
  * @throws \Kirby\Exception\InvalidArgumentException If the file couldn't be parsed
  */
  public static function sanitize(string $string): string
  {
  $dom = static::parse($string);
  $dom->sanitize(static::options());
  return $dom->toString();
  }
 
  /**
  * Validates file contents
  *
  * @param string $string
  * @return void
  *
  * @throws \Kirby\Exception\InvalidArgumentException If the file couldn't be parsed
  * @throws \Kirby\Exception\InvalidArgumentException If the file didn't pass validation
  */
  public static function validate(string $string): void
  {
  $dom = static::parse($string);
  $errors = $dom->sanitize(static::options());
  if (count($errors) > 0) {
  // there may be multiple errors, we can only throw one of them at a time
  throw $errors[0];
  }
  }
 
  /**
  * Custom callback for additional attribute sanitization
  * @internal
  *
  * @param \DOMAttr $attr
  * @return array Array with exception objects for each modification
  */
  public static function sanitizeAttr(DOMAttr $attr): array
  {
  // to be extended in child classes
  return [];
  }
 
  /**
  * Custom callback for additional element sanitization
  * @internal
  *
  * @param \DOMElement $element
  * @return array Array with exception objects for each modification
  */
  public static function sanitizeElement(DOMElement $element): array
  {
  // to be extended in child classes
  return [];
  }
 
  /**
  * Custom callback for additional doctype validation
  * @internal
  *
  * @param \DOMDocumentType $doctype
  * @return void
  */
  public static function validateDoctype(DOMDocumentType $doctype): void
  {
  // to be extended in child classes
  }
 
  /**
  * Returns the sanitization options for the handler
  * (to be extended in child classes)
  *
  * @return array
  */
  protected static function options(): array
  {
  return [
  'allowedDataUris' => static::$allowedDataUris,
  'allowedDomains' => static::$allowedDomains,
  'allowedPIs' => static::$allowedPIs,
  'attrCallback' => [static::class, 'sanitizeAttr'],
  'doctypeCallback' => [static::class, 'validateDoctype'],
  'elementCallback' => [static::class, 'sanitizeElement'],
  ];
  }
 
  /**
  * Parses the given string into a `Toolkit\Dom` object
  *
  * @param string $string
  * @return \Kirby\Toolkit\Dom
  *
  * @throws \Kirby\Exception\InvalidArgumentException If the file couldn't be parsed
  */
  protected static function parse(string $string)
  {
  return new Dom($string, static::$type);
  }
 }
diff --git a/src/Sane/Html.php b/src/Sane/Html.php
@@ -0,0 1,144 @@
 <?php
 
 namespace Kirby\Sane;
 
 /**
  * Sane handler for HTML files
  * @since 3.5.8
  *
  * @package Kirby Sane
  * @author Bastian Allgeier <[email protected]>,
  * Lukas Bestle <[email protected]>
  * @link https://getkirby.com
  * @copyright Bastian Allgeier GmbH
  * @license https://opensource.org/licenses/MIT
  */
 class Html extends DomHandler
 {
  /**
  * Global list of allowed attribute prefixes
  *
  * @var array
  */
  public static $allowedAttrPrefixes = [
  'aria-',
  'data-',
  ];
 
  /**
  * Global list of allowed attributes
  *
  * @var array
  */
  public static $allowedAttrs = [
  'class',
  'id',
  ];
 
  /**
  * Allowed hostnames for HTTP(S) URLs
  *
  * @var array
  */
  public static $allowedDomains = true;
 
  /**
  * Associative array of all allowed tag names with the value
  * of either an array with the list of all allowed attributes
  * for this tag, `true` to allow any attribute from the
  * `allowedAttrs` list or `false` to allow the tag without
  * any attributes
  *
  * @var array
  */
  public static $allowedTags = [
  'a' => ['href', 'rel', 'title', 'target'],
  'abbr' => ['title'],
  'b' => true,
  'body' => true,
  'blockquote' => true,
  'br' => true,
  'code' => true,
  'dl' => true,
  'dd' => true,
  'del' => true,
  'div' => true,
  'dt' => true,
  'em' => true,
  'footer' => true,
  'h1' => true,
  'h2' => true,
  'h3' => true,
  'h4' => true,
  'h5' => true,
  'h6' => true,
  'hr' => true,
  'html' => true,
  'i' => true,
  'ins' => true,
  'li' => true,
  'small' => true,
  'span' => true,
  'strong' => true,
  'sub' => true,
  'sup' => true,
  'ol' => true,
  'p' => true,
  'pre' => true,
  's' => true,
  'u' => true,
  'ul' => true,
  ];
 
  /**
  * Array of explicitly disallowed tags
  *
  * IMPORTANT: Use lower-case names here because
  * of the case-insensitive matching
  *
  * @var array
  */
  public static $disallowedTags = [
  'iframe',
  'meta',
  'object',
  'script',
  'style',
  ];
 
  /**
  * List of attributes that may contain URLs
  *
  * @var array
  */
  public static $urlAttrs = [
  'href',
  'src',
  'xlink:href',
  ];
 
  /**
  * The document type (`'HTML'` or `'XML'`)
  *
  * @var string
  */
  protected static $type = 'HTML';
 
  /**
  * Returns the sanitization options for the handler
  *
  * @return array
  */
  protected static function options(): array
  {
  return array_merge(parent::options(), [
  'allowedAttrPrefixes' => static::$allowedAttrPrefixes,
  'allowedAttrs' => static::$allowedAttrs,
  'allowedNamespaces' => [],
  'allowedPIs' => [],
  'allowedTags' => static::$allowedTags,
  'disallowedTags' => static::$disallowedTags,
  'urlAttrs' => static::$urlAttrs,
  ]);
  }
 }