TH1 scripts embedded in /docs and markdown wiki documents
(1) By geoff (geoffrey) on 2022-04-30 13:48:53 [link] [source]
The fossil documentation indicates that markdown wiki documents and embedded documents can have TH1 scripts embedded within <th1> and </th1> tags. The current version does not appear to process such embedded TH1 scripts, if my understanding is correct. The following patch (released to public domain or under the MIT license at users discretion) makes embedded TH1 scripts work in markdown embedded docs and markdown wiki docs:
Index: src/doc.c
==================================================================
--- src/doc.c
+++ src/doc.c
@@ -785,11 +785,24 @@
document_emit_js();
style_finish_page();
}
}else if( fossil_strcmp(zMime, "text/x-markdown")==0 ){
Blob tail = BLOB_INITIALIZER;
+#ifdef FOSSIL_ENABLE_TH1_DOCS
+ if( Th_AreDocsEnabled() ) {
+ Blob th = BLOB_INITIALIZER;
+ Blob *origBuf = Th_SetOutputBlob(&th);
+ Th_Render(blob_str(pBody));
+ markdown_to_html(&th, &title, &tail);
+ Th_SetOutputBlob(origBuf);
+ blob_reset(&th);
+ } else {
+ markdown_to_html(pBody, &title, &tail);
+ }
+#else
markdown_to_html(pBody, &title, &tail);
+#endif
if( !isPopup ){
if( blob_size(&title)>0 ){
style_header("%s", blob_str(&title));
}else{
style_header("%s", zDefaultTitle);
Index: src/wiki.c
==================================================================
--- src/wiki.c
+++ src/wiki.c
@@ -198,11 +198,24 @@
void wiki_render_by_mimetype(Blob *pWiki, const char *zMimetype){
if( zMimetype==0 || fossil_strcmp(zMimetype, "text/x-fossil-wiki")==0 ){
wiki_convert(pWiki, 0, 0);
}else if( fossil_strcmp(zMimetype, "text/x-markdown")==0 ){
Blob tail = BLOB_INITIALIZER;
+#ifdef FOSSIL_ENABLE_TH1_DOCS
+ if( Th_AreDocsEnabled() ) {
+ Blob th = BLOB_INITIALIZER;
+ Blob *origBuf = Th_SetOutputBlob(&th);
+ Th_Render(blob_str(pWiki));
+ markdown_to_html(&th, 0, &tail);
+ Th_SetOutputBlob(origBuf);
+ blob_reset(&th);
+ }else{
+ markdown_to_html(pWiki, 0, &tail);
+ }
+#else
markdown_to_html(pWiki, 0, &tail);
+#endif
safe_html(&tail);
@ %s(blob_str(&tail))
blob_reset(&tail);
}else if( fossil_strcmp(zMimetype, "text/x-pikchr")==0 ){
const char *zPikchr = blob_str(pWiki);
(2) By george on 2022-04-30 17:15:26 in reply to 1 [link] [source]
Thank you for looking into this.
Although I didn't do a careful analysis,
it seems to me that proposed patch has at least one major issue.
It enables server-side scripting (via <th1>...</th1>
blocks) for Wiki pages.
IIRC, Fossil has never worked that way.
If this is enabled unconditionally it would impose a security breach
for all repositories where untrusted users can edit Wiki.
Taking into account the recent findings...
Why do you want TH1 scripting (via <th1>...</th1>
blocks) inside of *.md
?
Why not just calling markdown
command
from within a .th1
file?
(3) By geoff (geoffrey) on 2022-04-30 21:07:25 in reply to 2 [source]
In the documentation at https://fossil-scm.org/home/doc/trunk/www/embeddeddoc.wiki section 2.3 it mentions that - - with-TH1-docs enabled there is server side scripting between <th1> tags for /docs such as markdown docs. This should only be done if the administrator has locked down wiki editing as per the documentation. The patch to doc.c is only compiled if the compile flag is turned on. It only runs the document through TH1 if - - with-TH1-docs is enabled as per the documentation. Currently the original code will only run pages through TH1 if they have a mimetype consistent with a ".th1" file extension as you mentioned. If my understanding of the documentarion is not correct, then I find the documentation confusing because in section 2.3 it appears to state that you can have embedded TH1 scripts between <th1> tags.
In https://fossil-scm.org/home/doc/trunk/www/defcsp.md section "TH1 code" it alludes to the above again in embedded docs.
In relation to TH1 scripts in wiki and markdown wiki content, having reviewed and searched the docs, I agree with your point. I think I may have misconstrued the embedded docs information to apply to wiki docs based on a section in the csp doc, although a reread does not support my interpretation.
In summary, I will withdraw the wiki.c suggestion. In relation to the doc.c change, if this is not correct, it may be that the first reference to the documentation in section 2.3 TH1 DOCUMENTS above may contain information which may mislead. It states "Fossil will substitute the value of TH1 expressions within curly braces into the output Html if you have configured it with the - - with-TH1-docs option, which is disabled by default." I believe this is what the doc.c suggested change does