@rhinostone/swig-twig 2.4.1 → 2.4.2

package/lib/tags/from.js

@@ -50,9 +50,12 @@ exports.block = true;
  * for each requested macro, invokes its `compile` to get the IRMacro
  * node and renders that node to JS through `backend.compile`. A
  * macro requested by name but not found in the imported template
- * raises a filename-aware throw. The resulting
- * `[{compiled, origName, aliasName}, ...]` list is stashed on
- * `token.args` for the compile step to rewrite.
+ * raises a filename-aware throw. The imported file's own nested
+ * `{% import %}` / `{% from %}` tokens are carried through (flagged
+ * `isImport`, with `boundNames` + a synthesized private `slot`) so the
+ * requested macros can reference them at call time. The resulting list
+ * (nested entries + `[{compiled, origName, aliasName}, ...]`) is stashed
+ * on `token.args` for the compile step to rewrite.
  *
  * @param  {string} str    Tag body.
  * @param  {number} line   Source line of the opening `{%`.
@@ -157,9 +160,34 @@ exports.parse = function (str, line, parser, types, stack, opts, swig, token) {
   // Index the imported template's macros by name so we can look up
   // each requested entry once. Raises a filename-aware throw if an
   // entry names a macro that doesn't exist in the imported template.
+  //
+  // The imported file may have its own `{% import %}` / `{% from %}`.
+  // Unlike `{% import %}`, `{% from %}` binds bare names with no namespace
+  // alias to hang those nested imports under, so they re-home under a
+  // synthesized private slot keyed off the path (compile() applies the
+  // rewrite). This keeps the inner names out of the parent's bare scope —
+  // bare `{{ name }}` in the parent stays undefined, matching Twig's rule
+  // that imports are local to the importing template.
+  var privateSlot = '__nsfrom_' + path.replace(/[^a-zA-Z0-9]/g, '_');
+  var nested = [];
   var macroIndex = {};
   utils.each(parsed.tokens, function (tk) {
-    if (!tk || tk.name !== 'macro' || typeof tk.compile !== 'function') {
+    if (!tk || typeof tk.compile !== 'function') {
+      return;
+    }
+    if (tk.name === 'import' || tk.name === 'from') {
+      var bn = (tk.name === 'import')
+        ? [tk.args[tk.args.length - 1]]
+        : utils.map(tk.args, function (a) { return a.aliasName; });
+      nested.push({
+        compiled: tk.compile(null, tk.args.slice(), tk.content, [], compileOpts) + '\n',
+        isImport: true,
+        boundNames: bn,
+        slot: privateSlot
+      });
+      return;
+    }
+    if (tk.name !== 'macro') {
       return;
     }
     macroIndex[tk.args[0]] = tk;
@@ -181,7 +209,7 @@ exports.parse = function (str, line, parser, types, stack, opts, swig, token) {
     });
   }
 
-  token.args = resolved;
+  token.args = nested.concat(resolved);
   return true;
 };
 
@@ -201,6 +229,11 @@ exports.parse = function (str, line, parser, types, stack, opts, swig, token) {
  * `undefined`, matching Twig's "unimported macros are not available"
  * semantic.
  *
+ * The imported file's own nested imports (flagged `isImport`) are emitted
+ * first, re-homed under a private slot (`_ctx.<boundName>` ->
+ * `_ctx.<slot>.<boundName>`) so they resolve for the imported macros at
+ * call time without leaking into the parent's bare scope.
+ *
  * @return {string} JS source that assigns every imported macro into
  *                  `_ctx.<aliasName>`. Backend lifts it into
  *                  `IRLegacyJS`.
@@ -225,20 +258,43 @@ exports.compile = function (compiler, args, content, parents, options) {
       options.filename || ''
     );
   }
-  var allOrigNames = utils.map(args, function (arg) { return arg.origName; }).join('|');
-  var replacements = utils.map(args, function (arg) {
+  var macros = [];
+  var nested = [];
+  utils.each(args, function (a) { (a.isImport ? nested : macros).push(a); });
+  var allOrigNames = utils.map(macros, function (arg) { return arg.origName; }).join('|');
+  var replacements = utils.map(macros, function (arg) {
     return {
       ex: new RegExp('_ctx\\.' + arg.origName + '(\\W)(?!' + allOrigNames + ')', 'g'),
       re: '_ctx.' + arg.aliasName + '$1'
     };
   });
+  // The imported file's own nested imports re-home under a private slot so
+  // they never leak into the parent's bare scope: `_ctx.<boundName>` ->
+  // `_ctx.<slot>.<boundName>`, applied to the nested setup JS and to every
+  // imported macro body that references a bound name.
+  var innerReplacements = [];
+  utils.each(nested, function (a) {
+    utils.each(a.boundNames, function (nm) {
+      innerReplacements.push({
+        ex: new RegExp('_ctx\\.' + nm + '(\\W)', 'g'),
+        re: '_ctx.' + a.slot + '.' + nm + '$1'
+      });
+    });
+  });
 
   var out = '  var _output = "";\n';
-  utils.each(args, function (arg) {
+  // Nested imports first (under the private slot), so the imported macros
+  // below resolve them at call time.
+  utils.each(nested, function (a) {
+    out += '_ctx.' + a.slot + ' = _ctx.' + a.slot + ' || {};\n';
+    var c = a.compiled;
+    utils.each(innerReplacements, function (re) { c = c.replace(re.ex, re.re); });
+    out += c;
+  });
+  utils.each(macros, function (arg) {
     var c = arg.compiled;
-    utils.each(replacements, function (re) {
-      c = c.replace(re.ex, re.re);
-    });
+    utils.each(replacements, function (re) { c = c.replace(re.ex, re.re); });
+    utils.each(innerReplacements, function (re) { c = c.replace(re.ex, re.re); });
     out += c;
   });
 

package/lib/tags/import.js

@@ -47,13 +47,16 @@ exports.block = true;
  * against the bare-identifier rule and the CVE-2023-25345
  * `_dangerousProps` blocklist.
  *
- * Walks the imported template's token list (via `swig.parseFile`) for
- * `{% macro %}` tokens; for each macro, invokes its `compile` to get
- * the IRMacro node and renders that node to JS through
- * `backend.compile`. The resulting `{compiled, name}` objects + the
- * alias string are stashed on `token.args` — `exports.compile` pops
- * the alias off the tail and performs the namespace-prefix rewrite on
- * each macro's compiled JS.
+ * Walks the imported template's token list (via `swig.parseFile`). For
+ * each `{% macro %}` token, invokes its `compile` to get the IRMacro node
+ * and renders it to JS through `backend.compile`. For each nested
+ * `{% import %}` / `{% from %}` token (the imported file's own imports),
+ * carries its compiled setup through flagged `isImport` (with `boundNames`)
+ * so macros defined here can reference it at call time. The resulting
+ * entries + the alias string are stashed on `token.args` —
+ * `exports.compile` pops the alias off the tail, re-homes any nested
+ * imports under it, and performs the namespace-prefix rewrite on each
+ * macro's compiled JS.
  *
  * @param  {string} str    Tag body.
  * @param  {number} line   Source line of the opening `{%`.
@@ -130,7 +133,37 @@ exports.parse = function (str, line, parser, types, stack, opts, swig, token) {
   var macros = [];
 
   utils.each(parsed.tokens, function (tk) {
-    if (!tk || tk.name !== 'macro' || typeof tk.compile !== 'function') {
+    if (!tk || typeof tk.compile !== 'function') {
+      return;
+    }
+    // The imported file may itself import macros, via `{% import "x" as y %}`
+    // or `{% from "x" import a, b %}`. Carry those nested imports through so
+    // a macro defined here that references a name they bind resolves at call
+    // time — without them the call compiles against a namespace/binding that
+    // was never set up, and silently renders empty.
+    //
+    // Unlike native `lib/tags/import.js` (which emits the nested bindings
+    // straight into the caller's `_ctx` and thereby leaks them into the
+    // parent scope), swig-twig keeps imports local to their template per
+    // Twig's scoping rule: compile() re-homes every bound name under THIS
+    // import's alias (`_ctx.<alias>.<boundName>`), so none is visible bare
+    // in the parent. `tk.args` is already parsed; slice() avoids the pop()
+    // in compile() mutating the cached token.
+    if (tk.name === 'import' || tk.name === 'from') {
+      // Names the nested import binds into _ctx: `{% import %}` binds one
+      // namespace alias (the tail of args); `{% from %}` binds one per
+      // requested entry (its alias name).
+      var boundNames = (tk.name === 'import')
+        ? [tk.args[tk.args.length - 1]]
+        : utils.map(tk.args, function (a) { return a.aliasName; });
+      macros.push({
+        compiled: tk.compile(null, tk.args.slice(), tk.content, [], compileOpts) + '\n',
+        isImport: true,
+        boundNames: boundNames
+      });
+      return;
+    }
+    if (tk.name !== 'macro') {
       return;
     }
     var macroName = tk.args[0];
@@ -145,15 +178,20 @@ exports.parse = function (str, line, parser, types, stack, opts, swig, token) {
 
 /**
  * Emit the namespace-prefix rewrite. Pops the alias off the tail of
- * `args`, builds a `_ctx.<name>(\\W)(?!<allMacros>)` regex for each
- * imported macro, and rewrites every occurrence in each macro's
- * compiled JS to `_ctx.<alias>.<name>`. Concatenates the rewritten
- * bodies after the `_ctx.<alias> = {};` namespace-init line and
- * returns the result as a JS source string (the backend lifts it into
- * `IRLegacyJS`).
+ * `args` and splits the rest into macros and nested imports (flagged
+ * `isImport` by parse()). Builds a `_ctx.<name>(\\W)(?!<allMacros>)`
+ * regex for each imported macro and rewrites every occurrence in each
+ * macro's compiled JS to `_ctx.<alias>.<name>`. Nested imports are
+ * emitted first, re-homed under the alias (`_ctx.<boundName>` ->
+ * `_ctx.<alias>.<boundName>`) so a file's own imports stay local and
+ * never leak bare into the parent scope; the same re-homing is applied
+ * to macro bodies that reference any bound name. Concatenates after the
+ * `_ctx.<alias> = {};` namespace-init line and returns a JS source string
+ * (the backend lifts it into `IRLegacyJS`).
  *
- * @return {string} JS source that initialises `_ctx.<alias>` and
- *                  assigns every imported macro into it.
+ * @return {string} JS source that initialises `_ctx.<alias>`, re-homes
+ *                  any nested imports under it, and assigns every
+ *                  imported macro into it.
  */
 exports.compile = function (compiler, args, content, parents, options) {
   // Phase 2 (#T22): async-codegen branch. Parse stashed `[path, alias]`
@@ -167,20 +205,47 @@ exports.compile = function (compiler, args, content, parents, options) {
     );
   }
   var ctx = args.pop();
-  var allMacros = utils.map(args, function (arg) { return arg.name; }).join('|');
+  var macros = [];
+  var nested = [];
+  utils.each(args, function (a) {
+    (a.isImport ? nested : macros).push(a);
+  });
+  var allMacros = utils.map(macros, function (arg) { return arg.name; }).join('|');
   var out = '_ctx.' + ctx + ' = {};\n  var _output = "";\n';
-  var replacements = utils.map(args, function (arg) {
+  var replacements = utils.map(macros, function (arg) {
     return {
       ex: new RegExp('_ctx\\.' + arg.name + '(\\W)(?!' + allMacros + ')', 'g'),
       re: '_ctx.' + ctx + '.' + arg.name + '$1'
     };
   });
+  // Re-home every name a nested import binds under THIS alias so it stays
+  // local to the imported file (Twig scoping) and never leaks bare into the
+  // parent: `_ctx.<boundName>` -> `_ctx.<alias>.<boundName>`, applied to both
+  // the nested setup JS and every macro body below that references it.
+  // Compounds across import depth (a 3-level chain re-homes at each layer
+  // with no special-casing).
+  var innerReplacements = [];
+  utils.each(nested, function (a) {
+    utils.each(a.boundNames, function (nm) {
+      innerReplacements.push({
+        ex: new RegExp('_ctx\\.' + nm + '(\\W)', 'g'),
+        re: '_ctx.' + ctx + '.' + nm + '$1'
+      });
+    });
+  });
+
+  // Nested imports first, re-homed under the alias, so the macros defined
+  // below resolve them at call time.
+  utils.each(nested, function (a) {
+    var c = a.compiled;
+    utils.each(innerReplacements, function (re) { c = c.replace(re.ex, re.re); });
+    out += c;
+  });
 
-  utils.each(args, function (arg) {
+  utils.each(macros, function (arg) {
     var c = arg.compiled;
-    utils.each(replacements, function (re) {
-      c = c.replace(re.ex, re.re);
-    });
+    utils.each(replacements, function (re) { c = c.replace(re.ex, re.re); });
+    utils.each(innerReplacements, function (re) { c = c.replace(re.ex, re.re); });
     out += c;
   });
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rhinostone/swig-twig",
-  "version": "2.4.1",
+  "version": "2.4.2",
   "description": "Twig-syntax frontend for the @rhinostone/swig-core template engine. Part of the @rhinostone/swig multi-flavor family.",
   "keywords": [
     "template",
@@ -22,7 +22,7 @@
     "node": ">=12"
   },
   "peerDependencies": {
-    "@rhinostone/swig-core": "2.4.1"
+    "@rhinostone/swig-core": "2.4.2"
   },
   "publishConfig": {
     "access": "public"