@wdprlib/parser 3.1.1 → 3.2.0

package/src/parser/rules/block/html.ts

@@ -0,0 +1,222 @@
+/**
+ *
+ * Block rule for the Wikidot HTML block: `[[html]]...[[/html]]`.
+ *
+ * An HTML block embeds raw HTML that Wikidot renders inside a sandboxed
+ * `<iframe>`. The content between the tags is captured verbatim (no inline
+ * parsing) and stored as an `html` element in the AST.
+ *
+ * Supported attributes on the opening tag:
+ * - `style` -- applied to the containing iframe. Other attributes are
+ *   parsed but only `style` is used by Wikidot's renderer.
+ *
+ * The raw content is also pushed into `ctx.htmlBlocks` for document-level
+ * enumeration.
+ *
+ * If no `[[/html]]` closing tag is found, the rule fails and the opening
+ * tag falls through to text rendering (matching Wikidot behaviour).
+ *
+ * @module
+ */
+import type { Element } from "@wdprlib/ast";
+import type { BlockRule, ParseContext, RuleResult } from "../types";
+import { currentToken } from "../types";
+import { parseBlockName, parseAttributesRaw } from "./utils";
+
+/**
+ * Scan forward from `from` to see whether a real `[[/html]]` close tag
+ * exists later in the token stream. Used by the disabled path to decide
+ * whether the blank-line stop should fire.
+ *
+ * Recognises whitespace between the name and the closing `]]` so the
+ * answer matches what the main consume loop would actually accept.
+ */
+export function lookaheadHasHtmlClose(ctx: ParseContext, from: number): boolean {
+  for (let i = from; i < ctx.tokens.length; i++) {
+    const t = ctx.tokens[i];
+    if (!t || t.type === "EOF") return false;
+    if (t.type !== "BLOCK_END_OPEN") continue;
+    const closeName = parseBlockName(ctx, i + 1);
+    if (closeName?.name.toLowerCase() !== "html") continue;
+    let cp = i + 1 + closeName.consumed;
+    while (ctx.tokens[cp]?.type === "WHITESPACE") cp++;
+    if (ctx.tokens[cp]?.type === "BLOCK_CLOSE") return true;
+  }
+  return false;
+}
+
+/**
+ * Block rule for `[[html]]...[[/html]]`.
+ *
+ * Body content is stored as raw text. The optional `style` attribute is
+ * passed through to the AST element for iframe styling.
+ */
+export const htmlBlockRule: BlockRule = {
+  name: "html",
+  startTokens: ["BLOCK_OPEN"],
+  requiresLineStart: false,
+
+  parse(ctx: ParseContext): RuleResult<Element> {
+    const openToken = currentToken(ctx);
+    if (openToken.type !== "BLOCK_OPEN") {
+      return { success: false };
+    }
+
+    let pos = ctx.pos + 1;
+    let consumed = 1;
+
+    // Parse block name
+    const nameResult = parseBlockName(ctx, pos);
+    if (!nameResult || nameResult.name.toLowerCase() !== "html") {
+      return { success: false };
+    }
+    pos += nameResult.consumed;
+    consumed += nameResult.consumed;
+
+    // Parse attributes (type="css", style="...", etc.)
+    // Only style attribute is used by Wikidot (applied to iframe)
+    const attrResult = parseAttributesRaw(ctx, pos);
+    pos += attrResult.consumed;
+    consumed += attrResult.consumed;
+    const style = attrResult.attrs.style;
+
+    // Expect ]]
+    if (ctx.tokens[pos]?.type !== "BLOCK_CLOSE") {
+      return { success: false };
+    }
+    pos++;
+    consumed++;
+
+    // Settings-level gate: when `[[html]]` is disabled, still consume the
+    // entire block so the raw body cannot leak as text, but produce no
+    // AST element and skip the `ctx.htmlBlocks` push. The malformed
+    // opener path above (missing `]]`) is intentionally not affected —
+    // it falls through to text rendering as before.
+    const disabled = ctx.settings.allowHtmlBlocks === false;
+
+    // When disabled, the blank-line stop must only kick in if no real
+    // `[[/html]]` exists later in the stream. A closed block legitimately
+    // contains blank lines between paragraphs.
+    const hasCloseAhead = disabled && lookaheadHasHtmlClose(ctx, pos);
+
+    // Collect HTML content until [[/html]]. When disabled, the body is
+    // discarded so accumulation is skipped entirely to avoid building a
+    // large string only to drop it.
+    let contents = "";
+    let foundClose = false;
+
+    while (pos < ctx.tokens.length) {
+      const token = ctx.tokens[pos];
+      if (!token || token.type === "EOF") break;
+
+      // When disabled with no close ahead, stop at a blank line so the
+      // rule does not swallow subsequent paragraphs.
+      if (
+        disabled &&
+        !hasCloseAhead &&
+        token.type === "NEWLINE" &&
+        ctx.tokens[pos + 1]?.type === "NEWLINE"
+      ) {
+        break;
+      }
+
+      // Check for closing [[/html]] — require the trailing `]]` so a
+      // malformed `[[/html` without its close does not falsely terminate
+      // the body and leak the rest as text.
+      if (token.type === "BLOCK_END_OPEN") {
+        const closeNameResult = parseBlockName(ctx, pos + 1);
+        if (closeNameResult?.name.toLowerCase() === "html") {
+          let checkPos = pos + 1 + closeNameResult.consumed;
+          while (ctx.tokens[checkPos]?.type === "WHITESPACE") checkPos++;
+          if (ctx.tokens[checkPos]?.type === "BLOCK_CLOSE") {
+            foundClose = true;
+            break;
+          }
+        }
+      }
+
+      if (!disabled) {
+        contents += token.value;
+      }
+      pos++;
+      consumed++;
+    }
+
+    // If no closing tag found:
+    //  - enabled: fail (matches Wikidot fallback to text)
+    //  - disabled: still consume to EOF so the body cannot leak, but emit
+    //    both the unclosed warning and the disabled-info diagnostics.
+    if (!foundClose) {
+      ctx.diagnostics.push({
+        severity: "warning",
+        code: "unclosed-block",
+        message: "Missing closing tag [[/html]] for [[html]]",
+        position: openToken.position,
+      });
+      if (!disabled) {
+        return { success: false };
+      }
+      ctx.diagnostics.push({
+        severity: "info",
+        code: "html-block-disabled",
+        message: "[[html]] block ignored: disabled by settings",
+        position: openToken.position,
+      });
+      return { success: true, elements: [], consumed };
+    }
+
+    // Consume [[/html]] (skipping any whitespace between name and `]]`
+    // to match the close-detection above).
+    if (ctx.tokens[pos]?.type === "BLOCK_END_OPEN") {
+      pos++;
+      consumed++;
+      const closeNameResult = parseBlockName(ctx, pos);
+      if (closeNameResult) {
+        pos += closeNameResult.consumed;
+        consumed += closeNameResult.consumed;
+      }
+      while (ctx.tokens[pos]?.type === "WHITESPACE") {
+        pos++;
+        consumed++;
+      }
+      if (ctx.tokens[pos]?.type === "BLOCK_CLOSE") {
+        pos++;
+        consumed++;
+      }
+      if (ctx.tokens[pos]?.type === "NEWLINE") {
+        pos++;
+        consumed++;
+      }
+    }
+
+    if (disabled) {
+      ctx.diagnostics.push({
+        severity: "info",
+        code: "html-block-disabled",
+        message: "[[html]] block ignored: disabled by settings",
+        position: openToken.position,
+      });
+      return { success: true, elements: [], consumed };
+    }
+
+    // Trim the contents
+    contents = contents.trim();
+
+    // Store html block in context
+    ctx.htmlBlocks.push(contents);
+
+    return {
+      success: true,
+      elements: [
+        {
+          element: "html",
+          data: {
+            contents,
+            ...(style && { style }),
+          },
+        },
+      ],
+      consumed,
+    };
+  },
+};

package/src/parser/rules/block/iframe.ts

@@ -0,0 +1,239 @@
+/**
+ *
+ * Block rule for the Wikidot iframe block: `[[iframe URL attributes]]`.
+ *
+ * The `[[iframe]]` tag is a self-closing block that embeds an external
+ * page in an `<iframe>`. The first argument after the block name is the
+ * URL, followed by optional attributes.
+ *
+ * Security measures:
+ * - Only `http://` and `https://` URLs are accepted.
+ * - `javascript:`, `data:`, and `vbscript:` schemes are rejected.
+ * - URL normalisation strips whitespace and control characters to prevent
+ *   evasion via character insertion.
+ * - Only a specific set of HTML attributes is allowed (Wikidot filters
+ *   out `id` but permits `class`).
+ *
+ * Allowed attributes: `align`, `class`, `frameborder`, `height`,
+ * `scrolling`, `style`, `width`.
+ *
+ * @module
+ */
+import type { AttributeMap, Element } from "@wdprlib/ast";
+import type { BlockRule, ParseContext, RuleResult } from "../types";
+import { currentToken } from "../types";
+import { parseBlockName } from "./utils";
+
+/**
+ * Whitelist of attributes permitted on `[[iframe]]`. Wikidot strips
+ * `id` but permits `class`.
+ */
+const ALLOWED_IFRAME_ATTRS = new Set([
+  "align",
+  "class",
+  "frameborder",
+  "height",
+  "scrolling",
+  "style",
+  "width",
+]);
+
+/**
+ * Normalises a URL string for security checks by removing whitespace and
+ * control characters (U+0000--U+001F, U+007F--U+009F) that could be used
+ * to evade scheme detection, then lowercasing the result.
+ *
+ * @param url - The raw URL string.
+ * @returns The normalised, lowercased URL.
+ */
+function normalizeUrl(url: string): string {
+  return url.replace(/[\s\u0000-\u001f\u007f-\u009f]/g, "").toLowerCase();
+}
+
+/**
+ * Tests whether a normalised URL begins with a dangerous scheme
+ * (`javascript:`, `data:`, `vbscript:`) that must be rejected.
+ *
+ * @param normalizedUrl - The URL after {@link normalizeUrl} processing.
+ * @returns `true` if the URL has a dangerous scheme.
+ */
+function isDangerousUrl(normalizedUrl: string): boolean {
+  return /^(javascript|data|vbscript):/i.test(normalizedUrl);
+}
+
+/**
+ * Block rule for `[[iframe URL ...attributes]]`.
+ *
+ * Parsing strategy:
+ * 1. Match BLOCK_OPEN + name "iframe".
+ * 2. Consume the URL (all tokens until whitespace, BLOCK_CLOSE, or newline).
+ * 3. Validate the URL: normalise, reject dangerous schemes, require http(s).
+ * 4. Parse key/value attributes, filtering through `ALLOWED_IFRAME_ATTRS`.
+ * 5. Consume closing `]]` and optional trailing newline.
+ * 6. Emit an `iframe` element with `url` and `attributes`.
+ */
+export const iframeRule: BlockRule = {
+  name: "iframe",
+  startTokens: ["BLOCK_OPEN"],
+  requiresLineStart: false,
+
+  parse(ctx: ParseContext): RuleResult<Element> {
+    const openToken = currentToken(ctx);
+    if (openToken.type !== "BLOCK_OPEN") {
+      return { success: false };
+    }
+
+    let pos = ctx.pos + 1;
+    let consumed = 1;
+
+    // Parse block name
+    const nameResult = parseBlockName(ctx, pos);
+    if (!nameResult || nameResult.name.toLowerCase() !== "iframe") {
+      return { success: false };
+    }
+    pos += nameResult.consumed;
+    consumed += nameResult.consumed;
+
+    // Skip whitespace
+    while (ctx.tokens[pos]?.type === "WHITESPACE") {
+      pos++;
+      consumed++;
+    }
+
+    // Parse URL (first argument)
+    let url = "";
+    while (pos < ctx.tokens.length) {
+      const token = ctx.tokens[pos];
+      if (!token) break;
+      if (token.type === "BLOCK_CLOSE" || token.type === "WHITESPACE" || token.type === "NEWLINE") {
+        break;
+      }
+      url += token.value;
+      pos++;
+      consumed++;
+    }
+
+    if (!url) {
+      return { success: false };
+    }
+
+    // Normalize URL for consistent security checks
+    const normalizedUrl = normalizeUrl(url);
+
+    // Reject dangerous URLs (javascript:, data:, vbscript:)
+    // These will fall back to text rendering
+    if (isDangerousUrl(normalizedUrl)) {
+      return { success: false };
+    }
+
+    // Only allow http:// and https:// URLs (checked against normalized URL)
+    // This blocks relative URLs and other schemes
+    if (!/^https?:\/\//i.test(normalizedUrl)) {
+      return { success: false };
+    }
+
+    // Parse attributes
+    const attributes: AttributeMap = {};
+
+    while (pos < ctx.tokens.length) {
+      const token = ctx.tokens[pos];
+      if (!token || token.type === "BLOCK_CLOSE") break;
+
+      if (token.type === "NEWLINE") {
+        break;
+      }
+
+      if (token.type === "WHITESPACE") {
+        pos++;
+        consumed++;
+        continue;
+      }
+
+      // Parse key=value or key="value"
+      if (token.type === "IDENTIFIER" || token.type === "TEXT") {
+        const key = token.value;
+        pos++;
+        consumed++;
+
+        // Skip whitespace
+        while (ctx.tokens[pos]?.type === "WHITESPACE") {
+          pos++;
+          consumed++;
+        }
+
+        // Expect =
+        if (ctx.tokens[pos]?.type === "EQUALS") {
+          pos++;
+          consumed++;
+
+          // Skip whitespace
+          while (ctx.tokens[pos]?.type === "WHITESPACE") {
+            pos++;
+            consumed++;
+          }
+
+          // Parse value
+          let value = "";
+          const valueToken = ctx.tokens[pos];
+          if (valueToken?.type === "QUOTED_STRING") {
+            // Remove quotes
+            value = valueToken.value.slice(1, -1);
+            pos++;
+            consumed++;
+          } else {
+            // Unquoted value
+            while (pos < ctx.tokens.length) {
+              const vt = ctx.tokens[pos];
+              if (
+                !vt ||
+                vt.type === "BLOCK_CLOSE" ||
+                vt.type === "WHITESPACE" ||
+                vt.type === "NEWLINE"
+              ) {
+                break;
+              }
+              value += vt.value;
+              pos++;
+              consumed++;
+            }
+          }
+
+          // Only allow specific attributes (Wikidot filters out class/id)
+          if (ALLOWED_IFRAME_ATTRS.has(key.toLowerCase())) {
+            attributes[key.toLowerCase()] = value;
+          }
+        }
+      } else {
+        pos++;
+        consumed++;
+      }
+    }
+
+    // Expect ]]
+    if (ctx.tokens[pos]?.type !== "BLOCK_CLOSE") {
+      return { success: false };
+    }
+    pos++;
+    consumed++;
+
+    // Skip trailing newline
+    if (ctx.tokens[pos]?.type === "NEWLINE") {
+      pos++;
+      consumed++;
+    }
+
+    return {
+      success: true,
+      elements: [
+        {
+          element: "iframe",
+          data: {
+            url,
+            attributes,
+          },
+        },
+      ],
+      consumed,
+    };
+  },
+};

package/src/parser/rules/block/iftags.ts

@@ -0,0 +1,150 @@
+/**
+ *
+ * Block rule for Wikidot conditional tag blocks: `[[iftags]]...[[/iftags]]`.
+ *
+ * The `[[iftags]]` construct conditionally includes or excludes its body
+ * content based on the page's tags. The condition expression is everything
+ * between the block name and `]]`, e.g.:
+ *
+ * ```
+ * [[iftags +scp -tale]]
+ * This content only shows if the page has tag "scp" and not "tale".
+ * [[/iftags]]
+ * ```
+ *
+ * The condition string is stored as-is in the AST; actual evaluation is
+ * performed at render time based on the page's tag set.
+ *
+ * Body content is parsed as normal block-level markup using
+ * {@link parseBlocksUntil}.
+ *
+ * @module
+ */
+import type { Element } from "@wdprlib/ast";
+import type { BlockRule, ParseContext, RuleResult } from "../types";
+import { currentToken } from "../types";
+import { parseBlockName, parseBlocksUntil } from "./utils";
+
+/**
+ * Block rule for `[[iftags condition]]...[[/iftags]]`.
+ *
+ * Produces an `if-tags` element containing the condition string and
+ * the parsed body elements.
+ */
+export const iftagsRule: BlockRule = {
+  name: "iftags",
+  startTokens: ["BLOCK_OPEN"],
+  requiresLineStart: false,
+
+  parse(ctx: ParseContext): RuleResult<Element> {
+    const openToken = currentToken(ctx);
+    if (openToken.type !== "BLOCK_OPEN") {
+      return { success: false };
+    }
+
+    let pos = ctx.pos + 1;
+    let consumed = 1;
+
+    // Parse block name
+    const nameResult = parseBlockName(ctx, pos);
+    if (!nameResult || nameResult.name.toLowerCase() !== "iftags") {
+      return { success: false };
+    }
+    pos += nameResult.consumed;
+    consumed += nameResult.consumed;
+
+    // Skip whitespace
+    while (ctx.tokens[pos]?.type === "WHITESPACE") {
+      pos++;
+      consumed++;
+    }
+
+    // Parse condition (tag expressions)
+    let condition = "";
+    while (pos < ctx.tokens.length) {
+      const token = ctx.tokens[pos];
+      if (!token || token.type === "BLOCK_CLOSE" || token.type === "NEWLINE") {
+        break;
+      }
+      condition += token.value;
+      pos++;
+      consumed++;
+    }
+
+    // Expect ]]
+    if (ctx.tokens[pos]?.type !== "BLOCK_CLOSE") {
+      return { success: false };
+    }
+    pos++;
+    consumed++;
+
+    // Skip newline after opening tag
+    if (ctx.tokens[pos]?.type === "NEWLINE") {
+      pos++;
+      consumed++;
+    }
+
+    // Close condition for [[/iftags]]
+    const closeCondition = (checkCtx: ParseContext): boolean => {
+      const token = checkCtx.tokens[checkCtx.pos];
+      if (token?.type === "BLOCK_END_OPEN") {
+        const closeNameResult = parseBlockName(checkCtx, checkCtx.pos + 1);
+        if (closeNameResult?.name.toLowerCase() === "iftags") {
+          return true;
+        }
+      }
+      return false;
+    };
+
+    // Parse body
+    const bodyCtx: ParseContext = { ...ctx, pos };
+    const bodyResult = parseBlocksUntil(bodyCtx, closeCondition);
+    consumed += bodyResult.consumed;
+    pos += bodyResult.consumed;
+
+    // Check for missing close tag
+    if (ctx.tokens[pos]?.type !== "BLOCK_END_OPEN") {
+      ctx.diagnostics.push({
+        severity: "warning",
+        code: "unclosed-block",
+        message: "Missing closing tag [[/iftags]] for [[iftags]]",
+        position: openToken.position,
+      });
+    }
+
+    // Consume [[/iftags]]
+    if (ctx.tokens[pos]?.type === "BLOCK_END_OPEN") {
+      pos++;
+      consumed++;
+      const closeNameResult = parseBlockName(ctx, pos);
+      if (closeNameResult) {
+        pos += closeNameResult.consumed;
+        consumed += closeNameResult.consumed;
+      }
+      if (ctx.tokens[pos]?.type === "BLOCK_CLOSE") {
+        pos++;
+        consumed++;
+      }
+      if (ctx.tokens[pos]?.type === "NEWLINE") {
+        pos++;
+        consumed++;
+      }
+    }
+
+    condition = condition.trim();
+
+    return {
+      success: true,
+      elements: [
+        {
+          element: "if-tags",
+          data: {
+            condition,
+            elements: bodyResult.elements,
+          },
+        },
+      ],
+      consumed,
+    };
+  },
+};