markdownr 0.6.17 → 0.7.1

data/lib/markdown_server/helpers/admin_helpers.rb

@@ -0,0 +1,42 @@
+module MarkdownServer
+  module Helpers
+    module AdminHelpers
+      def setup_config
+        @setup_config ||= begin
+          path = File.join(root_dir, ".setup.yml")
+          (File.exist?(path) && YAML.safe_load(File.read(path))) || {}
+        rescue StandardError
+          {}
+        end
+      end
+
+      def client_ip
+        if settings.behind_proxy
+          fwd = env["HTTP_X_FORWARDED_FOR"].to_s.split(",").map(&:strip).first
+          fwd && !fwd.empty? ? fwd : env["REMOTE_ADDR"]
+        else
+          env["REMOTE_ADDR"]
+        end
+      end
+
+      def admin?
+        return true if session[:admin]
+
+        adm = setup_config["admin"]
+        return false unless adm.is_a?(Hash)
+
+        return true if adm["ip"].to_s.strip == client_ip
+
+        if adm["user"] && adm["pw"]
+          auth = request.env["HTTP_AUTHORIZATION"].to_s
+          if auth.start_with?("Basic ")
+            user, pw = Base64.decode64(auth[6..]).split(":", 2)
+            return true if user == adm["user"].to_s && pw == adm["pw"].to_s
+          end
+        end
+
+        false
+      end
+    end
+  end
+end

data/lib/markdown_server/helpers/fetch_helpers.rb

@@ -0,0 +1,178 @@
+module MarkdownServer
+  module Helpers
+    module FetchHelpers
+      # CSS cache for external stylesheets (keyed by absolute URL)
+      @@css_cache = {}
+      CSS_TTL = 3600 # 1 hour
+
+      FETCH_MAX_BYTES = 512_000
+      FETCH_TIMEOUT   = 5
+
+      # Tags kept as-is (attributes stripped)
+      ALLOWED_HTML = %w[p h1 h2 h3 h4 h5 h6 blockquote ul ol li
+                        pre br hr strong b em i sup sub code
+                        table tr td th].to_set
+      # Block containers — replaced with a newline (content kept)
+      BLOCK_HTML   = %w[div section aside figure figcaption
+                        thead tbody tfoot].to_set
+      # Elements removed completely, including their content
+      STRIP_FULL   = %w[script style nav header footer form input
+                        button select textarea svg iframe noscript].to_set
+
+      # ── HTTP Fetching ─────────────────────────────────────────────────────
+
+      def fetch_css(url_str)
+        cached = @@css_cache[url_str]
+        return cached[:body] if cached && (Time.now - cached[:at]) < CSS_TTL
+
+        uri = URI.parse(url_str)
+        return nil unless uri.is_a?(URI::HTTP) || uri.is_a?(URI::HTTPS)
+        http = Net::HTTP.new(uri.host, uri.port)
+        http.use_ssl = (uri.scheme == "https")
+        http.open_timeout = FETCH_TIMEOUT
+        http.read_timeout = FETCH_TIMEOUT
+        req = Net::HTTP::Get.new(uri.request_uri)
+        req["Accept"] = "text/css"
+        resp = http.request(req)
+        body = resp.is_a?(Net::HTTPSuccess) ? resp.body.to_s.encode("utf-8", invalid: :replace, undef: :replace) : nil
+        @@css_cache[url_str] = { body: body, at: Time.now } if body
+        body
+      rescue
+        @@css_cache.dig(url_str, :body)
+      end
+
+      def fetch_external_page(url_str)
+        uri = URI.parse(url_str)
+        return nil unless uri.is_a?(URI::HTTP) || uri.is_a?(URI::HTTPS)
+        fetch_follow_redirects(uri, 5)
+      rescue
+        nil
+      end
+
+      def fetch_follow_redirects(uri, limit)
+        return nil if limit <= 0
+        http = Net::HTTP.new(uri.host, uri.port)
+        http.use_ssl = (uri.scheme == "https")
+        http.open_timeout = FETCH_TIMEOUT
+        http.read_timeout = FETCH_TIMEOUT
+        req = Net::HTTP::Get.new(uri.request_uri)
+        req["User-Agent"] = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36"
+        req["Accept"] = "text/html,application/xhtml+xml;q=0.9,*/*;q=0.8"
+        req["Accept-Language"] = "en-US,en;q=0.5"
+        resp = http.request(req)
+        case resp
+        when Net::HTTPSuccess
+          ct = resp["content-type"].to_s
+          return nil unless ct.match?(/html|text/i)
+          body = resp.body.to_s
+          body = body.b[0, FETCH_MAX_BYTES].force_encoding("utf-8")
+          body.encode("utf-8", invalid: :replace, undef: :replace, replace: "?")
+        when Net::HTTPRedirection
+          loc = resp["Location"].to_s
+          new_uri = (URI.parse(loc) rescue nil)
+          return nil unless new_uri
+          new_uri = uri + new_uri unless new_uri.absolute?
+          return nil unless new_uri.is_a?(URI::HTTP) || new_uri.is_a?(URI::HTTPS)
+          fetch_follow_redirects(new_uri, limit - 1)
+        end
+      rescue
+        nil
+      end
+
+      # ── HTML Extraction & Sanitization ────────────────────────────────────
+
+      def page_title(html)
+        html.match(/<title[^>]*>(.*?)<\/title>/im)&.then { |m|
+          m[1].gsub(/<[^>]+>/, "").gsub(/&amp;/i, "&").gsub(/&lt;/i, "<")
+              .gsub(/&gt;/i, ">").gsub(/&quot;/i, '"').gsub(/&#?\w+;/, "").strip
+        } || ""
+      end
+
+      def page_html(raw, base_url = nil)
+        w = raw.dup
+        STRIP_FULL.each { |t| w.gsub!(/<#{t}[^>]*>.*?<\/#{t}>/im, " ") }
+        w.gsub!(/<!--.*?-->/m, " ")
+        w.gsub!(/Bible\s+Gateway\s+Recommends[\s\S]*?View\s+more\s+titles/i, " ")
+        w.gsub!(/trusted\s+resources\s+beside\s+every\s+verse[\s\S]*?Your\s+Content/i, " ")
+        w.gsub!(/Log\s+In\s*\/\s*Sign\s+Up[\s\S]*?Your\s+Content/i, " ")
+
+        content = w.match(/<article[^>]*>(.*?)<\/article>/im)&.[](1) ||
+                  w.match(/<main[^>]*>(.*?)<\/main>/im)&.[](1) ||
+                  w.match(/<body[^>]*>(.*?)<\/body>/im)&.[](1) ||
+                  w
+
+        out = sanitize_html_tags(content, base_url)
+        out.sub!(/\A[\s\S]*?(?=<h[1-6]>)/i, "")
+        out = decode_html_entities(out)
+        out.gsub!(/(<a[^>]*>Read\s+full\s+chapter<\/a>)[\s\S]*?(?=©|Copyright\b)/i, "\\1\n")
+
+        out.length > 10_000 ? out[0, 10_000] : out
+      end
+
+      # ── Asset Injection ───────────────────────────────────────────────────
+
+      def inject_assets_for_html_path?(_relative_path)
+        true
+      end
+
+      def inject_markdownr_assets(html_content)
+        settings.plugins.each { |p| html_content = p.transform_html(html_content, self) }
+
+        popup_config_script = "<script>var __popupConfig = {" \
+          "localMd:#{settings.popup_local_md}," \
+          "localHtml:#{settings.popup_local_html}," \
+          "external:#{settings.popup_external}," \
+          "externalDomains:#{settings.popup_external_domains.to_json}" \
+          "};</script>\n"
+        assets = popup_config_script + File.read(File.join(settings.views, "popup_assets.erb"))
+        inserted = false
+        result = html_content.sub(/<\/(body|html)>/i) { inserted = true; "#{assets}</#{$1}>" }
+        inserted ? result : html_content + assets
+      end
+
+      private
+
+      def decode_html_entities(text)
+        text
+          .gsub(/&nbsp;/i, " ").gsub(/&amp;/i, "&").gsub(/&lt;/i, "<").gsub(/&gt;/i, ">")
+          .gsub(/&quot;/i, '"').gsub(/&apos;/i, "'")
+          .gsub(/&mdash;/i, "—").gsub(/&ndash;/i, "–").gsub(/&hellip;/i, "…")
+          .gsub(/&#(\d+);/)         { [$1.to_i].pack("U")      rescue " " }
+          .gsub(/&#x([\da-f]+);/i)  { [$1.to_i(16)].pack("U") rescue " " }
+          .gsub(/&\w+;/, " ")
+          .gsub(/[ \t]+/, " ")
+          .gsub(/\n{3,}/, "\n\n")
+          .gsub(/<(\w+)>\s*<\/\1>/, "")
+          .strip
+      end
+
+      def sanitize_html_tags(content, base_url = nil)
+        content.gsub(/<(\/?)(\w+)([^>]*)>/) do
+          slash, tag, attrs = $1, $2.downcase, $3
+          if ALLOWED_HTML.include?(tag)
+            "<#{slash}#{tag}>"
+          elsif tag == "a"
+            if slash.empty?
+              m = attrs.match(/href\s*=\s*["']([^"']*)["']/i)
+              if m && !m[1].match?(/\Ajavascript:/i)
+                href = m[1].gsub(/&amp;/i, "&")
+                if base_url && href !~ /\Ahttps?:\/\//i && !href.start_with?("#")
+                  href = (URI.join(base_url, href).to_s rescue href)
+                end
+                %(<a href="#{h(href)}" target="_blank" rel="noopener">)
+              else
+                ""
+              end
+            else
+              "</a>"
+            end
+          elsif BLOCK_HTML.include?(tag)
+            "\n"
+          else
+            ""
+          end
+        end
+      end
+    end
+  end
+end

data/lib/markdown_server/helpers/formatting_helpers.rb

@@ -0,0 +1,78 @@
+module MarkdownServer
+  module Helpers
+    module FormattingHelpers
+      def format_size(bytes)
+        if bytes < 1024
+          "#{bytes} B"
+        elsif bytes < 1024 * 1024
+          "%.1f KB" % (bytes / 1024.0)
+        else
+          "%.1f MB" % (bytes / (1024.0 * 1024))
+        end
+      end
+
+      def format_date(time)
+        time.strftime("%Y-%m-%d %H:%M")
+      end
+
+      def icon_for(entry_name, is_dir)
+        if is_dir
+          "\u{1F4C1}"
+        else
+          ext = File.extname(entry_name).downcase
+          case ext
+          when ".md" then "\u{1F4DD}"
+          when ".pdf" then "\u{1F4D5}"
+          when ".json" then "\u{1F4CB}"
+          when ".py" then "\u{1F40D}"
+          when ".rb" then "\u{1F48E}"
+          when ".csv" then "\u{1F4CA}"
+          when ".epub" then "\u{1F4D6}"
+          else "\u{1F4C4}"
+          end
+        end
+      end
+
+      def breadcrumbs(path)
+        parts = path.split("/").reject(&:empty?)
+        crumbs = [{ name: "home", href: "/browse/" }]
+        parts.each_with_index do |part, i|
+          href = "/browse/" + parts[0..i].map { |p| encode_path_component(p) }.join("/") + "/"
+          crumbs << { name: part, href: href }
+        end
+        crumbs
+      end
+
+      def dir_title
+        return settings.custom_title if settings.respond_to?(:custom_title) && settings.custom_title
+        File.basename(root_dir).gsub(/[-_]/, " ").gsub(/\b\w/, &:upcase)
+      end
+
+      def inline_directory_html(dir_path, relative_dir)
+        entries = Dir.entries(dir_path).reject { |e| e.start_with?(".") || EXCLUDED.include?(e) }
+        items = entries.map do |name|
+          stat = File.stat(File.join(dir_path, name)) rescue next
+          is_dir = stat.directory?
+          href = "/browse/" + (relative_dir.empty? ? "" : relative_dir + "/") +
+                 encode_path_component(name) + (is_dir ? "/" : "")
+          { name: name, is_dir: is_dir, href: href }
+        end.compact.sort_by { |i| [i[:is_dir] ? 0 : 1, i[:name].downcase] }
+
+        rows = items.map do |i|
+          %(<li><a href="#{h(i[:href])}"><span class="icon">#{icon_for(i[:name], i[:is_dir])}</span> ) +
+          %(#{h(i[:name])}#{i[:is_dir] ? "/" : ""}</a></li>)
+        end.join
+        %(<ul class="dir-listing">#{rows}</ul>)
+      end
+
+      def search_form_path(relative_path)
+        "/search/" + relative_path.split("/").map { |p| encode_path_component(p) }.join("/")
+      end
+
+      def parent_dir_path(relative_path)
+        parts = relative_path.split("/")
+        parts.length > 1 ? parts[0..-2].join("/") : ""
+      end
+    end
+  end
+end

data/lib/markdown_server/helpers/markdown_helpers.rb

@@ -0,0 +1,216 @@
+module MarkdownServer
+  module Helpers
+    module MarkdownHelpers
+      def parse_frontmatter(content)
+        if content =~ /\A---\s*\n(.*?\n)---\s*\n(.*)/m
+          begin
+            meta = YAML.safe_load($1, permitted_classes: [Date, Time])
+            body = $2
+            [meta, body]
+          rescue => e
+            [nil, content]
+          end
+        else
+          [nil, content]
+        end
+      end
+
+      def render_markdown(text)
+        # Convert mermaid code fences to raw HTML divs before Kramdown so Rouge
+        # never touches them and the content is preserved exactly for Mermaid.js.
+        text = text.gsub(/^```mermaid[ \t]*\r?\n([\s\S]*?)^```[ \t]*(\r?\n|\z)/m) do
+          "<div class=\"mermaid\">\n#{h($1.rstrip)}\n</div>\n\n"
+        end
+
+        # Run plugin markdown transformations (e.g. Bible citation auto-linking)
+        settings.plugins.each { |p| text = p.transform_markdown(text) }
+
+        # Process wiki links BEFORE Kramdown so that | isn't consumed as
+        # a GFM table delimiter.
+        text = text.gsub(/\[\[([^\]]+)\]\]/) do
+          raw = $1
+          if raw.include?("|")
+            target, display = raw.split("|", 2)
+          else
+            target = raw
+            display = nil
+          end
+
+          if target.start_with?("#")
+            heading_text = target[1..]
+            anchor = heading_text.downcase.gsub(/\s+/, "-").gsub(/[^\w-]/, "")
+            label = display || heading_text
+            %(<a class="wiki-link" href="##{h(anchor)}">#{h(label)}</a>)
+          else
+            file_part, anchor_part = target.split("#", 2)
+            anchor_suffix = anchor_part ? "##{anchor_part.downcase.gsub(/\s+/, '-').gsub(/[^\w-]/, '')}" : ""
+            resolved = resolve_wiki_link(file_part)
+            label = display || target
+            if resolved
+              %(<a class="wiki-link" href="/browse/#{encode_path_component(resolved).gsub('%2F', '/')}#{anchor_suffix}">#{h(label)}</a>)
+            else
+              %(<span class="wiki-link broken">#{h(label)}</span>)
+            end
+          end
+        end
+
+        html = Kramdown::Document.new(
+          text,
+          input: "GFM",
+          syntax_highlighter: "rouge",
+          syntax_highlighter_opts: { default_lang: "text" },
+          hard_wrap: settings.hard_wrap
+        ).to_html
+
+        # Restore non-numeric footnote labels: Kramdown converts all footnote
+        # references to sequential numbers, but we want [^abc] to display "abc".
+        html = html.gsub(%r{<sup id="fnref:([^"]+)"[^>]*>\s*<a href="#fn:\1"[^>]*>\d+</a>\s*</sup>}m) do
+          full_match = $&
+          name = $1
+          if name =~ /\A\d+\z/
+            full_match
+          else
+            %(<sup id="fnref:#{name}" role="doc-noteref"><a href="#fn:#{name}" class="footnote" rel="footnote">#{h(name)}</a></sup>)
+          end
+        end
+        html.gsub(%r{<li id="fn:([^"]+)"[^>]*>\s*<p>}m) do
+          full_match = $&
+          name = $1
+          if name =~ /\A\d+\z/
+            full_match
+          else
+            %(<li id="fn:#{name}"><p><strong>#{h(name)}:</strong> )
+          end
+        end
+      end
+
+      def resolve_wiki_link(name)
+        filename = "#{name}.md"
+        base = File.realpath(root_dir)
+        # On case-sensitive filesystems (Linux/Docker), FNM_CASEFOLD doesn't help
+        # with directory listings. Try exact filename first, then lowercased variant.
+        candidates = [filename]
+        candidates << filename.downcase if filename != filename.downcase
+
+        # Check the current file's directory first (exact case, then case-insensitive)
+        if @current_wiki_dir
+          local_exact = nil
+          local_ci = nil
+          candidates.each do |fn|
+            Dir.glob(File.join(@current_wiki_dir, fn)).each do |path|
+              real = File.realpath(path) rescue next
+              next unless real.start_with?(base)
+              relative = real.sub("#{base}/", "")
+              first_segment = relative.split("/").first
+              next if EXCLUDED.include?(first_segment) || first_segment&.start_with?(".")
+              if File.basename(real) == filename
+                local_exact = relative
+                break
+              else
+                local_ci ||= relative
+              end
+            end
+            break if local_exact
+          end
+          return local_exact if local_exact
+          return local_ci if local_ci
+        end
+
+        # Fall back to global recursive search
+        exact_match = nil
+        ci_match = nil
+        candidates.each do |fn|
+          Dir.glob(File.join(base, "**", fn)).each do |path|
+            real = File.realpath(path) rescue next
+            next unless real.start_with?(base)
+            relative = real.sub("#{base}/", "")
+            first_segment = relative.split("/").first
+            next if EXCLUDED.include?(first_segment) || first_segment&.start_with?(".")
+            if File.basename(real) == filename
+              exact_match ||= relative
+            else
+              ci_match ||= relative
+            end
+          end
+          break if exact_match
+        end
+
+        exact_match || ci_match
+      end
+
+      def render_inline_wiki_links(str)
+        result = ""
+        last_end = 0
+        str.scan(/\[\[([^\]]+)\]\]/) do |match|
+          raw = match[0]
+          m_start = $~.begin(0)
+          m_end = $~.end(0)
+          result += h(str[last_end...m_start])
+          target, display = raw.include?("|") ? raw.split("|", 2) : [raw, nil]
+          label = display || target
+          if target.start_with?("#")
+            anchor = target[1..].downcase.gsub(/\s+/, "-").gsub(/[^\w-]/, "")
+            result += %(<a class="wiki-link" href="##{h(anchor)}">#{h(label)}</a>)
+          else
+            file_part, anchor_part = target.split("#", 2)
+            anchor_suffix = anchor_part ? "##{anchor_part.downcase.gsub(/\s+/, '-').gsub(/[^\w-]/, '')}" : ""
+            resolved = resolve_wiki_link(file_part)
+            if resolved
+              result += %(<a class="wiki-link" href="/browse/#{encode_path_component(resolved).gsub('%2F', '/')}#{anchor_suffix}">#{h(label)}</a>)
+            else
+              result += %(<span class="wiki-link broken">#{h(label)}</span>)
+            end
+          end
+          last_end = m_end
+        end
+        result += h(str[last_end..])
+        result
+      end
+
+      def render_frontmatter_value(value)
+        case value
+        when Array
+          value.map { |v|
+            str = v.to_s
+            if str.include?("[[")
+              render_inline_wiki_links(str)
+            else
+              %(<span class="tag">#{h(str)}</span>)
+            end
+          }.join(" ")
+        when String
+          if value =~ /\Ahttps?:\/\//
+            %(<a href="#{h(value)}" target="_blank" rel="noopener">#{h(value)}</a>)
+          elsif value.include?("[[")
+            render_inline_wiki_links(value)
+          elsif value.length > 120
+            render_markdown(value)
+          else
+            h(value)
+          end
+        when Numeric, TrueClass, FalseClass
+          h(value.to_s)
+        when NilClass
+          %(<span class="empty">—</span>)
+        else
+          h(value.to_s)
+        end
+      end
+
+      def syntax_highlight(code, language)
+        formatter = Rouge::Formatters::HTML.new
+        lexer = Rouge::Lexer.find_fancy(language) || Rouge::Lexers::PlainText.new
+        formatter.format(lexer.lex(code))
+      end
+
+      def extract_toc(html)
+        headings = []
+        html.scan(/<h([1-6])\s[^>]*id="([^"]*)"[^>]*>(.*?)<\/h\1>/mi) do |level, id, text|
+          clean_text = text.gsub(/<sup[^>]*id="fnref:[^"]*"[^>]*>.*?<\/sup>/i, "").gsub(/<[^>]+>/, "").strip
+          headings << { level: level.to_i, id: id, text: clean_text }
+        end
+        headings
+      end
+    end
+  end
+end

data/lib/markdown_server/helpers/path_helpers.rb

@@ -0,0 +1,40 @@
+module MarkdownServer
+  module Helpers
+    module PathHelpers
+      def root_dir
+        settings.root_dir
+      end
+
+      def h(text)
+        CGI.escapeHTML(text.to_s)
+      end
+
+      def encode_path_component(str)
+        URI.encode_www_form_component(str).gsub("+", "%20")
+      end
+
+      def safe_path(requested)
+        base = File.realpath(root_dir)
+        full = File.join(base, requested)
+
+        begin
+          real = File.realpath(full)
+        rescue Errno::ENOENT
+          halt 404, erb(:layout) { "<h1>Not Found</h1><p>#{h(requested)}</p>" }
+        end
+
+        unless real.start_with?(base)
+          halt 403, erb(:layout) { "<h1>Forbidden</h1>" }
+        end
+
+        relative = real.sub("#{base}/", "")
+        first_segment = relative.split("/").first
+        if EXCLUDED.include?(first_segment) || first_segment&.start_with?(".")
+          halt 403, erb(:layout) { "<h1>Forbidden</h1>" }
+        end
+
+        real
+      end
+    end
+  end
+end