@adobe/helix-html-pipeline 3.7.5 → 3.7.7

package/CHANGELOG.md

@@ -1,3 +1,17 @@
+## [3.7.7](https://github.com/adobe/helix-html-pipeline/compare/v3.7.6...v3.7.7) (2022-12-08)
+
+
+### Bug Fixes
+
+* remove og:url meta tag if overridden with ""  ([d605625](https://github.com/adobe/helix-html-pipeline/commit/d6056258ab5188362cd6afd94cd860a5dca6880a)), closes [#214](https://github.com/adobe/helix-html-pipeline/issues/214)
+
+## [3.7.6](https://github.com/adobe/helix-html-pipeline/compare/v3.7.5...v3.7.6) (2022-11-29)
+
+
+### Bug Fixes
+
+* improve custom header handling ([#205](https://github.com/adobe/helix-html-pipeline/issues/205)) ([3867fef](https://github.com/adobe/helix-html-pipeline/commit/3867fef601735ed8dc6921c0391bd0de148f0245)), closes [#204](https://github.com/adobe/helix-html-pipeline/issues/204) [#202](https://github.com/adobe/helix-html-pipeline/issues/202) [#199](https://github.com/adobe/helix-html-pipeline/issues/199)
+
 ## [3.7.5](https://github.com/adobe/helix-html-pipeline/compare/v3.7.4...v3.7.5) (2022-11-18)
 
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@adobe/helix-html-pipeline",
-  "version": "3.7.5",
+  "version": "3.7.7",
   "description": "Helix HTML Pipeline",
   "main": "src/index.js",
   "types": "src/index.d.ts",
@@ -50,7 +50,7 @@
     "hast-util-to-html": "8.0.3",
     "hast-util-to-string": "2.0.0",
     "hastscript": "7.1.0",
-    "jose": "4.11.0",
+    "jose": "4.11.1",
     "mdast-util-gfm-footnote": "1.0.1",
     "mdast-util-gfm-strikethrough": "1.0.2",
     "mdast-util-gfm-table": "1.0.6",
@@ -79,20 +79,20 @@
   "devDependencies": {
     "@adobe/eslint-config-helix": "1.3.2",
     "@markedjs/html-differ": "4.0.2",
-    "@semantic-release/changelog": "6.0.1",
+    "@semantic-release/changelog": "6.0.2",
     "@semantic-release/git": "10.0.1",
     "@semantic-release/npm": "9.0.1",
     "c8": "7.12.0",
-    "eslint": "8.27.0",
+    "eslint": "8.29.0",
     "eslint-import-resolver-exports": "1.0.0-beta.3",
     "eslint-plugin-header": "3.1.1",
     "eslint-plugin-import": "2.26.0",
-    "esmock": "2.0.7",
+    "esmock": "2.1.0",
     "husky": "8.0.2",
     "js-yaml": "4.1.0",
-    "jsdom": "20.0.2",
+    "jsdom": "20.0.3",
     "junit-report-builder": "3.0.1",
-    "lint-staged": "13.0.3",
+    "lint-staged": "13.0.4",
     "mocha": "10.1.0",
     "mocha-multi-reporters": "1.5.1",
     "remark-gfm": "3.0.1",

package/src/steps/extract-metadata.js

@@ -161,8 +161,6 @@ export default function extractMetaData(state, req) {
     getLocalMetadata(hast),
   );
 
-  const IGNORED_CUSTOM_META = ['twitter:card'];
-
   // first process supported metadata properties
   [
     'title',
@@ -179,19 +177,12 @@ export default function extractMetaData(state, req) {
       delete metaConfig[name];
     }
   });
-  if (Object.keys(metaConfig).length > 0) {
-    // add rest to meta.custom
-    meta.custom = Object.entries(metaConfig)
-      .filter(([name]) => !IGNORED_CUSTOM_META.includes(name))
-      .map(([name, value]) => ({
-        name,
-        value,
-        property: name.includes(':'),
-      }));
-  }
-
   // default value for twitter:card (mandatory for rendering URLs as cards in tweets)
   meta['twitter:card'] = metaConfig['twitter:card'] || 'summary_large_image';
+  delete metaConfig['twitter:card'];
+
+  // add rest to meta.custom
+  meta.custom = metaConfig;
 
   if (meta.keywords) {
     meta.keywords = toList(meta.keywords).join(', ');

package/src/steps/render.js

@@ -55,29 +55,51 @@ export default async function render(state, req, res) {
   ]);
 
   // add meta
+  // (this is so complicated to keep the order backward compatible to make the diff tests happy)
+  const metadata = {
+    'og:title': meta.title,
+    'og:description': meta.description,
+    'og:url': meta.url,
+    'og:image': meta.image,
+    'og:image:secure_url': meta.image,
+    'og:image:alt': meta.imageAlt,
+    'og:updated_time': meta.modified_time,
+    'article:tag': meta.tags || [],
+    'article:section': meta.section,
+    'article:published_time': meta.published_time,
+    'article:modified_time': meta.modified_time,
+    'twitter:card': meta['twitter:card'],
+    'twitter:title': meta.title,
+    'twitter:description': meta.description,
+    'twitter:image': meta.image,
+  };
+  // remove meta with no values
+  for (const name of Object.keys(metadata)) {
+    if (!metadata[name]) {
+      delete metadata[name];
+    }
+  }
+  // append custom metadata
+  Object.assign(metadata, meta.custom);
+
+  // remove og:url with explicit removal marker
+  if (metadata['og:url'] === '""') {
+    delete metadata['og:url'];
+  }
+
   appendElement($head, createElement('link', 'rel', 'canonical', 'href', content.meta.canonical));
   appendElement($head, createElement('meta', 'name', 'description', 'content', content.meta.description));
   appendElement($head, createElement('meta', 'name', 'keywords', 'content', content.meta.keywords));
-  appendElement($head, createElement('meta', 'property', 'og:title', 'content', content.meta.title));
-  appendElement($head, createElement('meta', 'property', 'og:description', 'content', content.meta.description));
-  appendElement($head, createElement('meta', 'property', 'og:url', 'content', content.meta.url));
-  appendElement($head, createElement('meta', 'property', 'og:image', 'content', content.meta.image));
-  appendElement($head, createElement('meta', 'property', 'og:image:secure_url', 'content', content.meta.image));
-  appendElement($head, createElement('meta', 'property', 'og:image:alt', 'content', content.meta.imageAlt));
-  appendElement($head, createElement('meta', 'property', 'og:updated_time', 'content', content.meta.modified_time));
-  for (const tag of (meta.tags || [])) {
-    appendElement($head, createElement('meta', 'property', 'article:tag', 'content', tag));
-  }
-  appendElement($head, createElement('meta', 'property', 'article:section', 'content', content.meta.section));
-  appendElement($head, createElement('meta', 'property', 'article:published_time', 'content', content.meta.published_time));
-  appendElement($head, createElement('meta', 'property', 'article:modified_time', 'content', content.meta.modified_time));
-  appendElement($head, createElement('meta', 'name', 'twitter:card', 'content', content.meta['twitter:card']));
-  appendElement($head, createElement('meta', 'name', 'twitter:title', 'content', content.meta.title));
-  appendElement($head, createElement('meta', 'name', 'twitter:description', 'content', content.meta.description));
-  appendElement($head, createElement('meta', 'name', 'twitter:image', 'content', content.meta.image));
 
-  for (const custom of (meta.custom || [])) {
-    appendElement($head, createElement('meta', custom.property ? 'property' : 'name', custom.name, 'content', custom.value));
+  for (const [name, value] of Object.entries(metadata)) {
+    const attr = name.includes(':') && !name.startsWith('twitter:') ? 'property' : 'name';
+    if (Array.isArray(value)) {
+      for (const v of value) {
+        appendElement($head, createElement('meta', attr, name, 'content', v));
+      }
+    } else {
+      appendElement($head, createElement('meta', attr, name, 'content', value));
+    }
   }
   appendElement($head, createElement('link', 'rel', 'alternate', 'type', 'application/xml+atom', 'href', meta.feed, 'title', `${meta.title} feed`));
 

package/src/steps/set-custom-response-headers.js

@@ -9,7 +9,43 @@
  * OF ANY KIND, either express or implied. See the License for the specific language
  * governing permissions and limitations under the License.
  */
-import { cleanupHeaderValue } from '@adobe/helix-shared-utils';
+function cleanupHeaderValue(value) {
+  return value
+    .replace(/[^\t\u0020-\u007E\u0080-\u00FF]/g, '')
+    .substring(0, 1024 * 64);
+}
+
+/**
+ * Computes the access-control-allow-origin header value.
+ * The value can either be a single value or a comma separated list of origin names or patterns.
+ * If only a single static value is given (eg `*` or `https://www.adobe.com`), it is used verbatim.
+ * If multiple values are given, the one matching the origin request header is used.
+ * If any of the values is a regexp, the origin request header is used, if any match is given.
+ *
+ * @param {PipelineRequest} req
+ * @param {string} value
+ * @return {string} the access-control-allow-origin header value.
+ */
+function getACAOriginValue(req, value) {
+  /** @type string */
+  const origin = req.headers.get('origin') || '*';
+  const values = value.split(',')
+    .map((v) => v.trim());
+
+  if (values.length === 1 && !values[0].startsWith('/')) {
+    return values[0];
+  }
+
+  for (const v of values) {
+    if (v.startsWith('/') && v.endsWith('/') && new RegExp(v.substring(1, v.length - 1)).test(origin)) {
+      return origin;
+    }
+    if (v === origin) {
+      return origin;
+    }
+  }
+  return '';
+}
 
 /**
  * Decorates the pipeline response object with the headers defined in metadata.json.
@@ -23,7 +59,13 @@ export default function setCustomResponseHeaders(state, req, res) {
   Object.entries(state.headers.getModifiers(state.info.path)).forEach(([name, value]) => {
     // only use `link` header for extensionless pipeline
     if (name !== 'link' || (state.type === 'html' && state.info.selector === '')) {
-      res.headers.set(name, cleanupHeaderValue(value));
+      let val = cleanupHeaderValue(value);
+      if (name === 'access-control-allow-origin') {
+        val = getACAOriginValue(req, val);
+      }
+      if (val) {
+        res.headers.set(name, val);
+      }
     }
   });
 }