@rhinostone/swig 2.0.0-alpha.1 → 2.0.0-alpha.3

package/lib/tags/macro.js

@@ -16,27 +16,18 @@
  *
  * @param {...arguments} arguments  User-defined arguments.
  */
+var ir = require('@rhinostone/swig-core/lib/ir');
+
 exports.compile = function (compiler, args, content, parents, options, blockName) {
   var fnName = args.shift();
-
-  return '_ctx.' + fnName + ' = function (' + args.join('') + ') {\n' +
-    '  var _output = "",\n' +
-    '    __ctx = _utils.extend({}, _ctx);\n' +
-    '  _utils.each(_ctx, function (v, k) {\n' +
-    '    if (["' + args.join('","') + '"].indexOf(k) !== -1) { delete _ctx[k]; }\n' +
-    '  });\n' +
-    compiler(content, parents, options, blockName) + '\n' +
-    ' _ctx = _utils.extend(_ctx, __ctx);\n' +
-    '  return _output;\n' +
-    '};\n' +
-    '_ctx.' + fnName + '.safe = true;\n';
+  return ir.macro(fnName, args, [ir.legacyJS(compiler(content, parents, options, blockName))]);
 };
 
 // CVE-2023-25345: prototype-chain properties that must not be used as macro
 // names. The macro tag assigns the compiled function to _ctx, so dangerous
 // names would pollute the prototype chain. Shared constant in
 // @rhinostone/swig-core — see .claude/security.md.
-var _dangerousProps = require('../../packages/swig-core/lib/security').dangerousProps;
+var _dangerousProps = require('@rhinostone/swig-core/lib/security').dangerousProps;
 
 exports.parse = function (str, line, parser, types) {
   var name;
@@ -45,7 +36,24 @@ exports.parse = function (str, line, parser, types) {
     if (token.match.indexOf('.') !== -1) {
       throw new Error('Unexpected dot in macro argument "' + token.match + '" on line ' + line + '.');
     }
-    this.out.push(token.match);
+    if (!name) {
+      // No FUNCTION/FUNCTIONEMPTY token emitted (e.g. `{% macro foo %}` with
+      // no parens): this VAR is the macro name. CVE-2023-25345: block
+      // prototype-chain property names as macro names.
+      if (_dangerousProps.indexOf(token.match) !== -1) {
+        throw new Error('Unsafe macro name "' + token.match + '" is not allowed (CVE-2023-25345) on line ' + line + '.');
+      }
+      name = token.match;
+      this.out.push(name);
+      return;
+    }
+    // CVE-2023-25345: macros assign `_ctx.<paramName>` implicitly inside
+    // the IIFE scaffolding, so a prototype-chain property name as a
+    // parameter would pollute the prototype chain at invocation time.
+    if (_dangerousProps.indexOf(token.match) !== -1) {
+      throw new Error('Unsafe macro argument "' + token.match + '" is not allowed (CVE-2023-25345) on line ' + line + '.');
+    }
+    this.out.push({ name: token.match });
   });
 
   parser.on(types.FUNCTION, function (token) {
@@ -79,7 +87,7 @@ exports.parse = function (str, line, parser, types) {
   });
 
   parser.on(types.COMMA, function () {
-    return true;
+    return;
   });
 
   parser.on('*', function () {

package/lib/tags/parent.js

@@ -1,3 +1,5 @@
+var ir = require('@rhinostone/swig-core/lib/ir');
+
 /**
  * Inject the content from the parent template's block of the same name into the current block.
  *
@@ -33,7 +35,12 @@ exports.compile = function (compiler, args, content, parents, options, blockName
     // Silly JSLint "Strange Loop" requires return to be in a conditional
     if (breaker && parentFile !== parent.name) {
       block = parent.blocks[blockName];
-      return block.compile(compiler, [blockName], block.content, parents.slice(i + 1), options) + '\n';
+      // Phase 2: the block tag now returns `IRBlock { body: [...] }`.
+      // Splice the matched parent block's body into an IRParent node;
+      // the backend emits body verbatim plus a trailing newline for
+      // byte-identity with the pre-Phase-2 JS-string emission shape.
+      var blockNode = block.compile(compiler, [blockName], block.content, parents.slice(i + 1), options);
+      return ir.parent((blockNode && blockNode.body) ? blockNode.body.concat([ir.legacyJS('\n')]) : [ir.legacyJS('\n')]);
     }
   }
 };
@@ -48,4 +55,4 @@ exports.parse = function (str, line, parser, types, stack, opts) {
   });
 
   return true;
-};
+};

package/lib/tags/raw.js

@@ -1,5 +1,7 @@
 // Magic tag, hardcoded into parser
 
+var ir = require('@rhinostone/swig-core/lib/ir');
+
 /**
  * Forces the content to not be auto-escaped. All swig instructions will be ignored and the content will be rendered exactly as it was given.
  *
@@ -12,7 +14,16 @@
  *
  */
 exports.compile = function (compiler, args, content, parents, options, blockName) {
-  return compiler(content, parents, options, blockName);
+  var nodes = [];
+  var i;
+  for (i = 0; i < content.length; i++) {
+    if (typeof content[i] === 'string') {
+      nodes.push(ir.raw(content[i]));
+    } else {
+      nodes.push(ir.legacyJS(compiler([content[i]], parents, options, blockName)));
+    }
+  }
+  return nodes;
 };
 exports.parse = function (str, line, parser) {
   parser.on('*', function (token) {

package/lib/tags/set.js

@@ -31,13 +31,68 @@
  * @param {literal} assignement   Any valid JavaScript assignement. <code data-language="js">=, +=, *=, /=, -=</code>
  * @param {*}   value     Valid variable output.
  */
-exports.compile = function (compiler, args) {
-  return args.join(' ') + ';\n';
+var ir = require('@rhinostone/swig-core/lib/ir'),
+  _t = require('@rhinostone/swig-core/lib/tokentypes');
+
+// Pure-dot LHS shape: `_ctx.foo` or `_ctx.foo.bar.baz`. Bracket-touched
+// targets (`_ctx.foo["bar"]`, `_ctx.foo[bar]`, mixed dot+bracket) fail
+// this match and stay on the transitional string fallback per Session
+// 14b Commit 10's narrow scope — the bracket-lvalue contract is a
+// cross-flavor design call and is deferred to a dedicated session.
+var _pureDotTarget = /^_ctx\.([a-zA-Z_$][\w$]*)((?:\.[a-zA-Z_$][\w$]*)*)$/;
+
+exports.compile = function (compiler, args, content, parents, options, blockName, token) {
+  // Target migrates to structured IRVarRef when the LHS is pure-dot;
+  // otherwise stays a transitional string fragment. Value prefers the
+  // lowered IRExpr carried on the token when lowerExpr produced one;
+  // otherwise fall back to the joined JS-source fragments the parse
+  // handler emitted.
+  var target = args[0];
+  var match = typeof target === 'string' && _pureDotTarget.exec(target);
+  if (match) {
+    var path = [match[1]];
+    if (match[2]) {
+      var rest = match[2].split('.');
+      for (var pi = 1; pi < rest.length; pi++) { path.push(rest[pi]); }
+    }
+    target = ir.varRef(path);
+  }
+  var value = (token && token.irExpr) ? token.irExpr : args.slice(2).join(' ');
+  return ir.set(target, args[1], value);
 };
 
 // CVE-2023-25345: prototype-chain properties that must not be assignable.
 // Shared constant in @rhinostone/swig-core — see .claude/security.md.
-var _dangerousProps = require('../../packages/swig-core/lib/security').dangerousProps;
+var _dangerousProps = require('@rhinostone/swig-core/lib/security').dangerousProps;
+
+exports.lowerExpr = function (parser, tokens) {
+  // The set tag's parse handler consumes LHS VAR / BRACKETOPEN / STRING /
+  // BRACKETCLOSE / DOTKEY / ASSIGNMENT tokens up to (and including) the
+  // assignment operator; lowerExpr only concerns itself with the RHS.
+  // Locate the first ASSIGNMENT, slice the tail, and hand it to parseExpr.
+  // Fall back (return undefined) if the tail contains FILTER / FILTEREMPTY
+  // (filter pipes are not part of the expression grammar yet — Session
+  // 14+ Output-site work) or a nested ASSIGNMENT (parseExpr does not
+  // lower assignments, and bracket-write-as-assignment on the RHS would
+  // misparse silently).
+  var assignIdx = -1, i;
+  for (i = 0; i < tokens.length; i++) {
+    if (tokens[i].type === _t.ASSIGNMENT) {
+      assignIdx = i;
+      break;
+    }
+  }
+  if (assignIdx === -1) { return undefined; }
+  var rhsTokens = tokens.slice(assignIdx + 1);
+  for (i = 0; i < rhsTokens.length; i++) {
+    if (rhsTokens[i].type === _t.FILTER ||
+        rhsTokens[i].type === _t.FILTEREMPTY ||
+        rhsTokens[i].type === _t.ASSIGNMENT) {
+      return undefined;
+    }
+  }
+  return parser.parseExpr(rhsTokens);
+};
 
 exports.parse = function (str, line, parser, types) {
   var nameSet = '',

package/lib/utils.js

@@ -1,13 +1,11 @@
 /**
  * Phase 1 carve bridge — utilities moved to @rhinostone/swig-core.
  *
- * This shim re-routes the in-repo relative require so every existing
- * consumer (`require('./utils')` from lib/, `require('../utils')` from
- * lib/tags/ and lib/loaders/, etc.) keeps resolving without churn, and
- * browserify@2 — which predates scoped packages and cannot resolve
- * `@rhinostone/swig-core` — keeps producing an identical browser
- * bundle. Removed when the native frontend restructures into
- * packages/swig/ (Phase 2). See .claude/architecture/multi-flavor-ir.md.
+ * This shim re-routes the in-repo consumer requires (`require('./utils')`
+ * from lib/, `require('../utils')` from lib/tags/ and lib/loaders/) so
+ * every call site keeps resolving without churn. Removed when the native
+ * frontend restructures into packages/swig/ (Phase 2). See
+ * .claude/architecture/multi-flavor-ir.md.
  */
 
-module.exports = require('../packages/swig-core/lib/utils');
+module.exports = require('@rhinostone/swig-core/lib/utils');

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rhinostone/swig",
-  "version": "2.0.0-alpha.1",
+  "version": "2.0.0-alpha.3",
   "description": "A simple, powerful, and extendable templating engine for node.js and browsers, similar to Django, Jinja2, and Twig.",
   "keywords": [
     "template",
@@ -21,18 +21,20 @@
     "Rhinostone <contact@gina.io>"
   ],
   "dependencies": {
+    "@rhinostone/swig-core": "2.0.0-alpha.3",
     "terser": "^5.46.1",
     "yargs": "^17.7.2"
   },
   "devDependencies": {
     "blanket": "~1.1",
-    "browserify": "~2",
+    "esbuild": "^0.28.0",
     "eslint": "^8.57.1",
     "expect.js": "~0.2",
     "express": "~3",
     "lodash": "~1.3.1",
     "mocha": "1.12.0",
     "mocha-phantomjs": "~3.1",
+    "path-browserify": "^1.0.1",
     "phantomjs": "~1.9.1",
     "travis-cov": "~0.2"
   },