Updates composer diffs to use precompiled templates

Author: d13

.prettierignore

@@ -11,6 +11,7 @@ images/icons/template/mapping.json
 images/icons/template/sass-map.hbs
 images/icons/template/styles.hbs
 src/emojis.generated.ts
+src/webviews/apps/plus/composer/components/diff/diff-templates.compiled.ts
 src/webviews/apps/shared/components/icons/codicons-map.ts
 src/webviews/apps/shared/components/icons/glicons-map.ts
 src/webviews/apps/shared/styles/icons/codicons-map.scss

package.json

@@ -24910,7 +24910,7 @@
 		"build:quick": "webpack --mode development --env skipLint",
 		"build:extension": "webpack --mode development --config-name extension:node",
 		"build:extension:browser": "webpack --mode development --config-name extension:webworker",
-		"build:webviews": "webpack --mode development --config-name webviews:common --config-name webviews",
+		"build:webviews": "node ./scripts/compile-composer-templates.mjs && webpack --mode development --config-name webviews:common --config-name webviews",
 		"build:icons": "pnpm run icons:svgo && pnpm fantasticon && pnpm run icons:apply && pnpm run icons:export",
 		"build:tests": "node ./scripts/esbuild.tests.mjs",
 		"// Extracts the contributions from package.json into contributions.json": "//",
@@ -25045,6 +25045,7 @@
 		"fork-ts-checker-webpack-plugin": "9.1.0",
 		"glob": "11.0.3",
 		"globals": "16.3.0",
+		"hogan.js": "3.0.2",
 		"html-loader": "5.1.0",
 		"html-webpack-plugin": "5.6.3",
 		"image-minimizer-webpack-plugin": "4.1.3",

pnpm-lock.yaml

@@ -0,0 +1,56 @@
+// Precompile Composer custom diff2html Hogan templates to avoid runtime eval
+// Usage: node scripts/compile-composer-templates.mjs
+
+import fs from 'node:fs';
+import path from 'node:path';
+import { createRequire } from 'node:module';
+const require = createRequire(import.meta.url);
+let Hogan;
+try {
+	// Prefer root-level hogan.js if hoisted
+	Hogan = await import('hogan.js');
+} catch {
+	// Fallback: resolve from diff2html's nested dependency to support pnpm non-hoisted layout
+	const diff2htmlPkg = require.resolve('diff2html/package.json');
+	const hoganPath = require.resolve('hogan.js', {
+		paths: [require('node:path').join(require('node:path').dirname(diff2htmlPkg), 'node_modules')],
+	});
+	const { pathToFileURL } = await import('node:url');
+	Hogan = await import(pathToFileURL(hoganPath).href);
+}
+Hogan = (Hogan && Hogan.default) || Hogan;
+
+const repoRoot = path.resolve(path.dirname(new URL(import.meta.url).pathname.replace(/^\//, '')), '..');
+const srcPath = path.join(repoRoot, 'src/webviews/apps/plus/composer/components/diff/diff-templates.ts');
+const outPath = path.join(repoRoot, 'src/webviews/apps/plus/composer/components/diff/diff-templates.compiled.ts');
+
+const source = fs.readFileSync(srcPath, 'utf8');
+
+// Extract template strings from the TS source
+function extractTemplate(name) {
+	const re = new RegExp(`export const ${name} = \`([\\s\\S]*?)\`;`);
+	const m = source.match(re);
+	if (!m) throw new Error(`Template ${name} not found in ${srcPath}`);
+	return m[1];
+}
+
+const blockHeader = extractTemplate('blockHeaderTemplate');
+const lineByLineFile = extractTemplate('lineByLineFileTemplate');
+const sideBySideFile = extractTemplate('sideBySideFileTemplate');
+const genericFilePath = extractTemplate('genericFilePathTemplate');
+
+function precompile(name, tpl) {
+	// Generate a code object compatible with new Hogan.Template(<code object>)
+	const code = Hogan.compile(tpl, { asString: true });
+	return `  "${name}": new Hogan.Template(${code})`;
+}
+
+const header = `/* eslint-disable */\n// @ts-nocheck\n// Generated by scripts/compile-composer-templates.mjs — DO NOT EDIT\nimport type { CompiledTemplates } from 'diff2html/lib-esm/hoganjs-utils';\nimport * as Hogan from 'hogan.js';\n`;
+
+const body = `export const compiledComposerTemplates: CompiledTemplates = {\n${precompile(
+	'generic-block-header',
+	blockHeader,
+)},\n${precompile('line-by-line-file-diff', lineByLineFile)},\n${precompile('side-by-side-file-diff', sideBySideFile)},\n${precompile('generic-file-path', genericFilePath)}\n};\n`;
+
+fs.writeFileSync(outPath, header + body, 'utf8');
+console.log(`Wrote ${outPath}`);

scripts/compile-composer-templates.mjs

@@ -1,21 +1,14 @@
-import { html as html2, parse as parseDiff } from 'diff2html';
-import type { RawTemplates } from 'diff2html/lib-esm/hoganjs-utils';
+import { parse as parseDiff } from 'diff2html';
 import type { DiffFile } from 'diff2html/lib-esm/types';
 import { ColorSchemeType } from 'diff2html/lib-esm/types';
 import type { Diff2HtmlUIConfig } from 'diff2html/lib-esm/ui/js/diff2html-ui.js';
 import { Diff2HtmlUI } from 'diff2html/lib-esm/ui/js/diff2html-ui.js';
-import { css, html, LitElement, nothing } from 'lit';
+import { css, html, LitElement } from 'lit';
 import { customElement, property, query, state } from 'lit/decorators.js';
-import { unsafeHTML } from 'lit/directives/unsafe-html.js';
 import type { ComposerHunk } from '../../../../../plus/composer/protocol';
 import { focusableBaseStyles } from '../../../../shared/components/styles/lit/a11y.css';
 import { boxSizingBase, scrollableBase } from '../../../../shared/components/styles/lit/base.css';
-import {
-	blockHeaderTemplate,
-	genericFilePathTemplate,
-	lineByLineFileTemplate,
-	sideBySideFileTemplate,
-} from './diff-templates';
+import { compiledComposerTemplates } from './diff-templates.compiled';
 import { diff2htmlStyles, diffStyles, hljsStyles } from './diff.css';
 import '../../../../shared/components/code-icon';
 
@@ -57,15 +50,6 @@ export class GlDiffFile extends LitElement {
 	@state()
 	private parsedDiff?: DiffFile[];
 
-	get rawTemplates(): RawTemplates {
-		return {
-			'block-header': blockHeaderTemplate,
-			'line-by-line-file-diff': lineByLineFileTemplate,
-			'side-by-side-file-diff': sideBySideFileTemplate,
-			'generic-file-path': genericFilePathTemplate,
-		};
-	}
-
 	private diff2htmlUi?: Diff2HtmlUI;
 
 	override firstUpdated() {
@@ -86,9 +70,6 @@ export class GlDiffFile extends LitElement {
 	override render() {
 		return html`<div id="diff"></div>`;
 	}
-	// override render() {
-	// 	return this.renderDiff2();
-	// }
 
 	private renderDiff() {
 		if (!this.parsedDiff) {
@@ -100,29 +81,17 @@ export class GlDiffFile extends LitElement {
 			outputFormat: this.sideBySide ? 'side-by-side' : 'line-by-line',
 			drawFileList: false,
 			highlight: false,
-			rawTemplates: this.rawTemplates,
+			// NOTE: Avoiding passing rawTemplates to Diff2HtmlUI to prevent Diff2Html from
+			// compiling templates at runtime via Hogan.compile (which uses eval), which violates
+			// the webview CSP (no 'unsafe-eval'). If we need to customize templates in the future,
+			// switch to providing precompiled templates in the bundle instead of raw strings.
+			compiledTemplates: compiledComposerTemplates,
 		};
 		this.diff2htmlUi = new Diff2HtmlUI(this.targetElement, this.parsedDiff, config);
 		this.diff2htmlUi.draw();
 		// this.diff2htmlUi.highlightCode();
 	}
 
-	private renderDiff2() {
-		if (!this.diffText) {
-			return nothing;
-		}
-
-		const html = html2(this.diffText, {
-			drawFileList: false,
-			// matching: 'lines',
-			outputFormat: 'line-by-line',
-			// colorScheme: this.isDarkMode ? ColorSchemeType.DARK : ColorSchemeType.LIGHT,
-			colorScheme: ColorSchemeType.AUTO,
-		});
-
-		return unsafeHTML(html);
-	}
-
 	private processDiff() {
 		// create diff text, then call parseDiff
 		if (!this.filename || !this.hunks || this.hunks.length === 0) {

src/webviews/apps/plus/composer/components/diff/diff-file.ts

@@ -0,0 +1,11 @@
+/* eslint-disable */
+// @ts-nocheck
+// Generated by scripts/compile-composer-templates.mjs — DO NOT EDIT
+import type { CompiledTemplates } from 'diff2html/lib-esm/hoganjs-utils';
+import * as Hogan from 'hogan.js';
+export const compiledComposerTemplates: CompiledTemplates = {
+  "generic-block-header": new Hogan.Template({code: function (c,p,i) { var t=this;t.b(i=i||"");t.b("<tr>");t.b("\n" + i);t.b("    <td class=\"");t.b(t.v(t.f("lineClass",c,p,0)));t.b(" ");t.b(t.v(t.d("CSSLineClass.INFO",c,p,0)));t.b("\"></td>");t.b("\n" + i);t.b("    <td class=\"");t.b(t.v(t.d("CSSLineClass.INFO",c,p,0)));t.b("\">");t.b("\n" + i);t.b("        <div class=\"");t.b(t.v(t.f("contentClass",c,p,0)));t.b("\">");if(t.s(t.f("blockHeader",c,p,1),c,p,0,156,173,"{{ }}")){t.rs(c,p,function(c,p,t){t.b(t.t(t.f("blockHeader",c,p,0)));});c.pop();}if(!t.s(t.f("blockHeader",c,p,1),c,p,1,0,0,"")){t.b("&nbsp;");};t.b("</div>");t.b("\n" + i);t.b("    </td>");t.b("\n" + i);t.b("</tr>");return t.fl(); },partials: {}, subs: {  }}),
+  "line-by-line-file-diff": new Hogan.Template({code: function (c,p,i) { var t=this;t.b(i=i||"");t.b("<details open id=\"");t.b(t.v(t.f("fileHtmlId",c,p,0)));t.b("\" class=\"d2h-file-wrapper\" data-lang=\"");t.b(t.v(t.d("file.language",c,p,0)));t.b("\">");t.b("\n" + i);t.b("    <summary class=\"d2h-file-header\">");t.b("\n" + i);t.b("      <code-icon class=\"file-icon--open\" icon=\"chevron-down\"></code-icon>");t.b("\n" + i);t.b("      <code-icon class=\"file-icon--closed\" icon=\"chevron-right\"></code-icon>");t.b("\n" + i);t.b("      ");t.b(t.t(t.f("filePath",c,p,0)));t.b("\n" + i);t.b("    </summary>");t.b("\n" + i);t.b("    <div class=\"d2h-file-diff scrollable\">");t.b("\n" + i);t.b("        <div class=\"d2h-code-wrapper\">");t.b("\n" + i);t.b("            <table class=\"d2h-diff-table\">");t.b("\n" + i);t.b("                <tbody class=\"d2h-diff-tbody\">");t.b("\n" + i);t.b("                ");t.b(t.t(t.f("diffs",c,p,0)));t.b("\n" + i);t.b("                </tbody>");t.b("\n" + i);t.b("            </table>");t.b("\n" + i);t.b("        </div>");t.b("\n" + i);t.b("    </div>");t.b("\n" + i);t.b("</details>");return t.fl(); },partials: {}, subs: {  }}),
+  "side-by-side-file-diff": new Hogan.Template({code: function (c,p,i) { var t=this;t.b(i=i||"");t.b("<details id=\"");t.b(t.v(t.f("fileHtmlId",c,p,0)));t.b("\" class=\"d2h-file-wrapper\" data-lang=\"");t.b(t.v(t.d("file.language",c,p,0)));t.b("\">");t.b("\n" + i);t.b("    <summary class=\"d2h-file-header\">");t.b("\n" + i);t.b("      <code-icon class=\"file-icon--open\" icon=\"chevron-down\"></code-icon>");t.b("\n" + i);t.b("      <code-icon class=\"file-icon--closed\" icon=\"chevron-right\"></code-icon>");t.b("\n" + i);t.b("      ");t.b(t.t(t.f("filePath",c,p,0)));t.b("\n" + i);t.b("    </summary>");t.b("\n" + i);t.b("    <div class=\"d2h-files-diff\">");t.b("\n" + i);t.b("        <div class=\"d2h-file-side-diff\">");t.b("\n" + i);t.b("            <div class=\"d2h-code-wrapper\">");t.b("\n" + i);t.b("                <table class=\"d2h-diff-table\">");t.b("\n" + i);t.b("                    <tbody class=\"d2h-diff-tbody\">");t.b("\n" + i);t.b("                    ");t.b(t.t(t.d("diffs.left",c,p,0)));t.b("\n" + i);t.b("                    </tbody>");t.b("\n" + i);t.b("                </table>");t.b("\n" + i);t.b("            </div>");t.b("\n" + i);t.b("        </div>");t.b("\n" + i);t.b("        <div class=\"d2h-file-side-diff\">");t.b("\n" + i);t.b("            <div class=\"d2h-code-wrapper\">");t.b("\n" + i);t.b("                <table class=\"d2h-diff-table\">");t.b("\n" + i);t.b("                    <tbody class=\"d2h-diff-tbody\">");t.b("\n" + i);t.b("                    ");t.b(t.t(t.d("diffs.right",c,p,0)));t.b("\n" + i);t.b("                    </tbody>");t.b("\n" + i);t.b("                </table>");t.b("\n" + i);t.b("            </div>");t.b("\n" + i);t.b("        </div>");t.b("\n" + i);t.b("    </div>");t.b("\n" + i);t.b("</details>");return t.fl(); },partials: {}, subs: {  }}),
+  "generic-file-path": new Hogan.Template({code: function (c,p,i) { var t=this;t.b(i=i||"");t.b("<span class=\"d2h-file-name-wrapper\">");t.b("\n" + i);t.b("    <span class=\"d2h-file-name\">");t.b(t.v(t.f("fileDiffName",c,p,0)));t.b("</span>");t.b("\n" + i);t.b(t.rp("<fileTag0",c,p,"    "));t.b("</span>");t.b("\n" + i);t.b("<label class=\"d2h-file-collapse\" hidden>");t.b("\n" + i);t.b("    <input class=\"d2h-file-collapse-input\" type=\"checkbox\" name=\"viewed\" value=\"viewed\">");t.b("\n" + i);t.b("    Viewed");t.b("\n" + i);t.b("</label>");return t.fl(); },partials: {"<fileTag0":{name:"fileTag", partials: {}, subs: {  }}}, subs: {  }})
+};

src/webviews/apps/plus/composer/components/diff/diff-templates.compiled.ts

@@ -1,11 +1,10 @@
-import { html as html2 } from 'diff2html';
 import { ColorSchemeType } from 'diff2html/lib-esm/types';
 import type { Diff2HtmlUIConfig } from 'diff2html/lib-esm/ui/js/diff2html-ui.js';
 import { Diff2HtmlUI } from 'diff2html/lib-esm/ui/js/diff2html-ui.js';
-import { css, html, LitElement, nothing } from 'lit';
+import { css, html, LitElement } from 'lit';
 import { customElement, property, query } from 'lit/decorators.js';
-import { unsafeHTML } from 'lit/directives/unsafe-html.js';
 import { boxSizingBase } from '../../../../shared/components/styles/lit/base.css';
+import { compiledComposerTemplates } from './diff-templates.compiled';
 import { diff2htmlStyles, diffStyles, hljsStyles } from './diff.css';
 
 @customElement('gl-diff-hunk')
@@ -79,31 +78,15 @@ export class GlDiffHunk extends LitElement {
 			outputFormat: 'line-by-line',
 			drawFileList: false,
 			highlight: false,
-			rawTemplates: this.rawTemplates,
+			// NOTE: Avoiding passing rawTemplates to Diff2HtmlUI to prevent Diff2Html from
+			// compiling templates at runtime via Hogan.compile (which uses eval), which violates
+			// the webview CSP (no 'unsafe-eval'). If we need to customize templates in the future,
+			// switch to providing precompiled templates in the bundle instead of raw strings.
+			compiledTemplates: compiledComposerTemplates,
 		};
 		const diff = `${diffHeader}\n${hunkHeader}\n${hunkContent}`;
 		this.diff2htmlUi = new Diff2HtmlUI(this.targetElement, diff, config);
 		this.diff2htmlUi.draw();
 		// this.diff2htmlUi.highlightCode();
 	}
-
-	private renderDiff2() {
-		const diffHeader = this.diffHeader.trim();
-		const hunkHeader = this.hunkHeader.trim();
-		const hunkContent = this.hunkContent.trim();
-		if (!diffHeader || !hunkHeader || !hunkContent) {
-			return nothing;
-		}
-
-		const diff = `${diffHeader}\n${hunkHeader}\n${hunkContent}`;
-		const html = html2(diff, {
-			drawFileList: false,
-			// matching: 'lines',
-			outputFormat: 'line-by-line',
-			// colorScheme: this.isDarkMode ? ColorSchemeType.DARK : ColorSchemeType.LIGHT,
-			colorScheme: ColorSchemeType.AUTO,
-		});
-
-		return unsafeHTML(html);
-	}
 }

src/webviews/apps/plus/composer/components/diff/diff.ts

@@ -675,7 +675,7 @@ function getCspHtmlPlugin(mode, env) {
 			'script-src':
 				mode !== 'production'
 					? ['#{cspSource}', "'nonce-#{cspNonce}'", "'unsafe-eval'"]
-					: ['#{cspSource}', "'nonce-#{cspNonce}'", "'unsafe-eval'"],
+					: ['#{cspSource}', "'nonce-#{cspNonce}'"],
 			'style-src':
 				mode === 'production'
 					? ['#{cspSource}', "'nonce-#{cspNonce}'", "'unsafe-hashes'"]