markdowndocs 0.6.1 → 0.8.0

data/app/services/markdowndocs/markdown_renderer.rb

@@ -45,8 +45,9 @@ module Markdowndocs
       end
 
       def render_markdown(markdown)
-        doc = Commonmarker.parse(markdown, options: Markdowndocs.config.markdown_options)
-        html = doc.to_html(options: Markdowndocs.config.markdown_options)
+        options = markdown_render_options
+        doc = Commonmarker.parse(markdown, options: options)
+        html = doc.to_html(options: options)
         html = apply_syntax_highlighting(html)
         sanitize_html(html)
       rescue => e
@@ -56,7 +57,9 @@ module Markdowndocs
       end
 
       def apply_syntax_highlighting(html)
-        doc = Nokogiri::HTML.fragment(html)
+        # HTML5 parsing preserves case-sensitive SVG/MathML foreign-content
+        # attributes (e.g. viewBox) that Nokogiri::HTML would lowercase.
+        doc = Nokogiri::HTML5.fragment(html)
 
         doc.css("pre[lang]").each do |pre|
           language = pre["lang"]
@@ -91,25 +94,53 @@ module Markdowndocs
         "<pre><code>#{ERB::Util.html_escape(code)}</code></pre>"
       end
 
+      # Force commonmarker to pass raw HTML through when SVG is allowed, so the
+      # markup reaches the sanitizer (the security boundary) instead of being
+      # escaped. Returns a copy — does not mutate the configured options.
+      def markdown_render_options
+        options = Markdowndocs.config.markdown_options
+        return options unless Markdowndocs.config.allow_svg
+
+        options.merge(render: (options[:render] || {}).merge(unsafe: true))
+      end
+
+      BASE_SANITIZE_TAGS = %w[
+        h1 h2 h3 h4 h5 h6 p br hr blockquote
+        ul ol li dl dt dd
+        table thead tbody tfoot tr th td
+        a img
+        strong em b i u del
+        code pre span div
+      ].freeze
+
+      BASE_SANITIZE_ATTRS = %w[href title src alt align class lang].freeze
+
+      # Curated structural SVG subset. Deliberately excludes script,
+      # foreignObject, and SMIL animate/set tags, plus all on* handlers — the
+      # SafeListSanitizer drops anything not listed, so scripts/handlers and
+      # javascript: URIs are stripped even with unsafe HTML enabled.
+      SVG_SANITIZE_TAGS = %w[
+        svg g path rect circle ellipse line polyline polygon
+        text tspan defs marker title desc
+      ].freeze
+
+      SVG_SANITIZE_ATTRS = %w[
+        viewBox d points
+        x y x1 y1 x2 y2 cx cy r rx ry width height
+        fill stroke stroke-width stroke-linecap stroke-linejoin stroke-dasharray
+        transform opacity text-anchor dominant-baseline
+        font-size font-family font-weight
+        marker-start marker-end markerWidth markerHeight refX refY orient
+        role aria-label id
+      ].freeze
+
       def sanitize_html(html)
-        sanitizer = Rails::HTML5::SafeListSanitizer.new
+        allow_svg = Markdowndocs.config.allow_svg
 
-        sanitizer.sanitize(
+        Rails::HTML5::SafeListSanitizer.new.sanitize(
           html,
-          tags: %w[
-            h1 h2 h3 h4 h5 h6 p br hr blockquote
-            ul ol li dl dt dd
-            table thead tbody tfoot tr th td
-            a img
-            strong em b i u del
-            code pre span div
-          ],
-          attributes: %w[
-            href title
-            src alt
-            align
-            class lang
-          ]
+          tags: allow_svg ? BASE_SANITIZE_TAGS + SVG_SANITIZE_TAGS : BASE_SANITIZE_TAGS,
+          attributes: allow_svg ? BASE_SANITIZE_ATTRS + SVG_SANITIZE_ATTRS : BASE_SANITIZE_ATTRS
         )
       end
     end

data/app/views/markdowndocs/docs/_mode_switcher.html.erb

@@ -41,7 +41,8 @@
           turbo_action: "replace"
         }
       ) do |f| %>
-        <%= f.hidden_field :mode, value: mode %>
+        <%= f.hidden_field :mode, value: mode, id: nil %>
+        <%= f.hidden_field :current_path, value: request.fullpath, id: nil %>
         <button
           type="submit"
           role="radio"

data/app/views/markdowndocs/docs/show.html.erb

@@ -1,3 +1,5 @@
+<% content_for :title, "#{@doc.title} — Documentation" %>
+
 <div class="min-h-screen bg-gray-50 dark:bg-slate-900">
   <div class="max-w-7xl mx-auto px-4 py-12
         sm:px-6
@@ -66,7 +68,10 @@
           lg:grid-cols-12">
       <!-- Main content -->
       <main class="lg:col-span-8">
-        <article class="bg-white dark:bg-slate-800 rounded-lg shadow-sm p-8">
+        <article
+          tabindex="-1"
+          autofocus
+          class="bg-white dark:bg-slate-800 rounded-lg shadow-sm p-8">
           <div class="prose prose-indigo dark:prose-invert max-w-none">
             <%= raw @rendered_content %>
           </div>

data/config/routes.rb

@@ -3,6 +3,17 @@
 Markdowndocs::Engine.routes.draw do
   root "docs#index"
   get "search_index", to: "docs#search_index", as: :search_index
+
+  # Mode-scoped doc route: matches /<mode>/<slug> where <mode> is one of
+  # the configured modes. Must come BEFORE the unconstrained :slug route
+  # so the more specific match wins.
+  mode_constraint = if Markdowndocs.config.modes.any?
+    Regexp.new("(?:#{Markdowndocs.config.modes.map { |m| Regexp.escape(m) }.join("|")})")
+  else
+    /impossible/
+  end
+  get ":mode/:slug", to: "docs#show", as: :scoped_doc, constraints: {mode: mode_constraint}
+
   get ":slug", to: "docs#show", as: :doc
   resource :preference, only: [:update]
 end