Merge remote-tracking branch 'refs/remotes/origin/main'

lovasoa · lovasoa · commit befef0d7b838 · 2025-02-27T13:44:13.000+01:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,13 +1,18 @@
 # CHANGELOG.md
 
-## unreleased
+## 0.34.0 (unreleased)
+
  - `delete_link` in the list component now submits a POST request, instead of being a simple link.
   - This avoids accidental deletion by bots following links, and is more in line with HTTP semantics.
  - In the table component, the `_col_` prefix is now added to column names in CSS classes. This avoids conflicts with other CSS classes that might be used in the page.
   - fixes https://github.com/sqlpage/SQLPage/issues/830
   - This is a breaking change for custom CSS rules that target table columns by their name.
     - Before: `.my_column { ... }`
     - After: `._col_my_column { ... }`
+- New configuration options:
+  - `markdown_allow_dangerous_html`: allow the usage of html in markdown (default: false)
+  - `markdown_allow_dangerous_protocol`: allow the usage of custom protocols in markdown (default: false)
+  - see [configuration.md](./configuration.md) for more details.
 
 ## 0.33.1 (2025-02-25)
 
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "sqlpage"
-version = "0.33.1"
+version = "0.34.0"
 edition = "2021"
 description = "Build data user interfaces entirely in SQL. A web server that takes .sql files and formats the query result using pre-made configurable professional-looking components."
 keywords = ["web", "sql", "framework"]
diff --git a/configuration.md b/configuration.md
@@ -34,6 +34,8 @@ Here are the available configuration options and their default values:
 | `content_security_policy`                     | `script-src 'self' 'nonce-XXX` | The [Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) to set in the HTTP headers. If you get CSP errors in the browser console, you can set this to the empty string to disable CSP. |
 | `system_root_ca_certificates`                 | false                                                      | Whether to use the system root CA certificates to validate SSL certificates when making http requests with `sqlpage.fetch`. If set to false, SQLPage will use its own set of root CA certificates. If the `SSL_CERT_FILE` or `SSL_CERT_DIR` environment variables are set, they will be used instead of the system root CA certificates. |
 | `max_recursion_depth`                         | 10                                                           | Maximum depth of recursion allowed in the `run_sql` function. Maximum value is 255. |
+| `markdown_allow_dangerous_html`               | false                                                        | Whether to allow raw HTML in markdown content. Only enable this if the markdown content is fully trusted (not user generated). |
+| `markdown_allow_dangerous_protocol`           | false                                                        | Whether to allow dangerous protocols (like javascript:) in markdown links. Only enable this if the markdown content is fully trusted (not user generated). |
 
 Multiple configuration file formats are supported:
 you can use a [`.json5`](https://json5.org/) file, a [`.toml`](https://toml.io/) file, or a [`.yaml`](https://en.wikipedia.org/wiki/YAML#Syntax) file.
diff --git a/examples/official-site/sqlpage/migrations/10_map.sql b/examples/official-site/sqlpage/migrations/10_map.sql
@@ -85,6 +85,14 @@ VALUES
         TRUE,
         TRUE
     ),
+    (
+        'map',
+        'height',
+        'Height of the map, in pixels. Default to 350px',
+        'INTEGER',
+        TRUE,
+        TRUE
+    ),
     (
         'map',
         'latitude',
@@ -246,4 +254,4 @@ or abstract 2D data visualizations.
             }
             ]'
         )
-    );
+    );
diff --git a/src/app_config.rs b/src/app_config.rs
@@ -143,6 +143,7 @@ pub fn load_from_env() -> anyhow::Result<AppConfig> {
 }
 
 #[derive(Debug, Deserialize, PartialEq, Clone)]
+#[allow(clippy::struct_excessive_bools)]
 pub struct AppConfig {
     #[serde(default = "default_database_url")]
     pub database_url: String,
@@ -248,6 +249,12 @@ pub struct AppConfig {
     /// Maximum depth of recursion allowed in the `run_sql` function.
     #[serde(default = "default_max_recursion_depth")]
     pub max_recursion_depth: u8,
+
+    #[serde(default = "default_markdown_allow_dangerous_html")]
+    pub markdown_allow_dangerous_html: bool,
+
+    #[serde(default = "default_markdown_allow_dangerous_protocol")]
+    pub markdown_allow_dangerous_protocol: bool,
 }
 
 impl AppConfig {
@@ -506,6 +513,14 @@ fn default_max_recursion_depth() -> u8 {
     10
 }
 
+fn default_markdown_allow_dangerous_html() -> bool {
+    false
+}
+
+fn default_markdown_allow_dangerous_protocol() -> bool {
+    false
+}
+
 #[derive(Debug, Deserialize, Serialize, PartialEq, Clone, Copy, Eq, Default)]
 #[serde(rename_all = "lowercase")]
 pub enum DevOrProd {
diff --git a/src/template_helpers.rs b/src/template_helpers.rs
@@ -66,7 +66,7 @@ pub fn register_all_helpers(h: &mut Handlebars<'_>, config: &AppConfig) {
 
     // icon helper: generate an image with the specified icon
     h.register_helper("icon_img", Box::new(IconImgHelper(site_prefix)));
-    register_helper(h, "markdown", markdown_helper as EH);
+    register_helper(h, "markdown", MarkdownHelper::new(config));
     register_helper(h, "buildinfo", buildinfo_helper as EH);
     register_helper(h, "typeof", typeof_helper as H);
     register_helper(h, "rfc2822_date", rfc2822_date_helper as EH);
@@ -250,21 +250,45 @@ fn typeof_helper(v: &JsonValue) -> JsonValue {
     .into()
 }
 
-fn markdown_helper(x: &JsonValue) -> anyhow::Result<JsonValue> {
-    let as_str = match x {
-        JsonValue::String(s) => Cow::Borrowed(s),
-        JsonValue::Array(arr) => Cow::Owned(
-            arr.iter()
-                .map(|v| v.as_str().unwrap_or_default())
-                .collect::<Vec<_>>()
-                .join("\n"),
-        ),
-        JsonValue::Null => Cow::Owned(String::new()),
-        other => Cow::Owned(other.to_string()),
-    };
-    markdown::to_html_with_options(&as_str, &markdown::Options::gfm())
-        .map(JsonValue::String)
-        .map_err(|e| anyhow::anyhow!("markdown error: {e}"))
+/// Helper to render markdown with configurable options
+struct MarkdownHelper {
+    allow_dangerous_html: bool,
+    allow_dangerous_protocol: bool,
+}
+
+impl MarkdownHelper {
+    fn new(config: &AppConfig) -> Self {
+        Self {
+            allow_dangerous_html: config.markdown_allow_dangerous_html,
+            allow_dangerous_protocol: config.markdown_allow_dangerous_protocol,
+        }
+    }
+}
+
+impl CanHelp for MarkdownHelper {
+    fn call(&self, args: &[PathAndJson]) -> Result<JsonValue, String> {
+        let as_str = match args {
+            [v] => v.value(),
+            _ => return Err("expected one argument".to_string()),
+        };
+        let as_str = match as_str {
+            JsonValue::String(s) => Cow::Borrowed(s),
+            JsonValue::Array(arr) => Cow::Owned(
+                arr.iter()
+                    .map(|v| v.as_str().unwrap_or_default())
+                    .collect::<Vec<_>>()
+                    .join("\n"),
+            ),
+            JsonValue::Null => Cow::Owned(String::new()),
+            other => Cow::Owned(other.to_string()),
+        };
+        let mut options = markdown::Options::gfm();
+        options.compile.allow_dangerous_html = self.allow_dangerous_html;
+        options.compile.allow_dangerous_protocol = self.allow_dangerous_protocol;
+        markdown::to_html_with_options(&as_str, &options)
+            .map(JsonValue::String)
+            .map_err(|e| e.to_string())
+    }
 }
 
 fn buildinfo_helper(x: &JsonValue) -> anyhow::Result<JsonValue> {
