Sutty/panel
5
0
Fork 0
mirror of https://0xacab.org/sutty/sutty synced 2025-02-19 23:31:52 +00:00
Code Issues Projects Releases Wiki Activity

Merge branch 'usar-sutty-editor' into panel.sutty.nl

Browse source
This commit is contained in:
f 2023-02-01 17:33:57 -03:00
commit e9ed87afdf
3 changed files with 78 additions and 15 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

89
app/models/metadata_content.rb
View file

@ -24,7 +24,11 @@ class MetadataContent < MetadataTemplate
end
def to_s
sanitizer.sanitize value, tags: [], attributes: []
Nokogiri::HTML.fragment(value).tap do |html|
html.css('[src^="public/"]').each do |element|
element['src'] = convert_internal_path_to_src element['src']
end
end.to_s
end
private
@ -47,16 +51,17 @@ class MetadataContent < MetadataTemplate
# Eliminar elementos sin src y comprobar su origen
html.css(elements).each do |element|
unless element['src']
element.remove
next
end
begin
raise URI::Error unless element['src'].present?
uri = URI element['src']
# No permitimos recursos externos
element.remove unless uri.scheme == 'https' && uri.hostname.end_with?(Site.domain)
raise URI::Error unless Rails.application.config.hosts.include?(uri.hostname)
element['src'] = convert_src_to_internal_path uri
raise URI::Error if element['src'].blank?
rescue URI::Error
element.remove
end
@ -73,16 +78,74 @@ class MetadataContent < MetadataTemplate
end
# Elimina los estilos salvo los que asigne el editor
html.css('*').each do |element|
next if elements_with_style.include? element.name.downcase
element.remove_attribute('style')
html.css('[style]').each do |element|
if (style = sanitize_style(element['style'])).present?
element['style'] = style
else
element.remove_attribute('style')
end
end
html.to_s.html_safe
end
def elements_with_style
@elements_with_style ||= %w[div mark].freeze
# Limpia estilos en base a una lista de permitidos
#
# @param style [String]
# @return [String]
def sanitize_style(style)
style.split(';').reduce({}) do |style_hash, style_string|
key, value = style_string.split(':', 2)
style_hash[key] ||= value
style_hash
end.slice(*allowed_styles).map do |style_pair|
style_pair.join(':')
end.join(';')
end
# Estilos permitidos
#
# @return [Array<String>]
def allowed_styles
@allowed_styles ||= %w[text-align color background-color]
end
# Convierte una ubicación local al sitio en una URL de ActiveStorage
#
# XXX: Por qué son tan díficiles de encontrar las rutas de AS
#
# @param path [String]
# @return [String]
def convert_internal_path_to_src(path)
key = path.split('/').second
blob = ActiveStorage::Blob.find_by(service_name: site.name, key: key)
return unless blob
"/rails/active_storage/blobs/#{blob.signed_id}/#{blob.filename}"
end
# Convierte una URI en una ruta interna del sitio actual
#
# XXX: No verifica si el archivo existe o no. Se supone que existe
# porque ya fue subido antes.
#
# @param uri [URI]
# @return [String,nil]
def convert_src_to_internal_path(uri)
signed_id = uri.path.split('/').fifth
blob = ActiveStorage::Blob.find_signed(signed_id)
return unless blob
return unless blob.service_name == site.name
blob_path = Pathname.new(blob.service.path_for(blob.key)).realpath
site_path = Pathname.new(site.path).realpath
blob_path.relative_path_from(site_path).to_s
rescue ActiveSupport::MessageVerifier::InvalidSignature => e
ExceptionNotifier.notify_exception(e, data: { site: site.name })
nil
end
end

2
app/views/posts/attributes/_new_content.haml
View file

@ -4,6 +4,6 @@
post: post, attribute: attribute, metadata: metadata
.new-editor.content{ id: attribute }
= text_area_tag "#{base}[#{attribute}]", metadata.value.html_safe,
= text_area_tag "#{base}[#{attribute}]", metadata.to_s.html_safe,
dir: dir, lang: locale,
**field_options(attribute, metadata), class: 'd-none'

2
app/views/posts/show.haml
View file

@ -38,4 +38,4 @@
- cache [metadata, I18n.locale] do
%section.content.pb-3{ id: attr, dir: dir }
= @post.public_send(attr).value.html_safe
= @post.public_send(attr).to_s.html_safe